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Abstract 


The purpose of this document is to make the Russian cryptographic standards available to the 
Internet community for their implementation in the Transport Layer Security (TLS) Protocol 
Version 1.3. 


This document defines the cipher suites, signature schemes, and key exchange mechanisms for 
using Russian cryptographic standards, called GOST algorithms, with TLS Version 1.3. 
Additionally, this document specifies a profile of TLS 1.3 with GOST algorithms to facilitate 
interoperable implementations. The IETF has not endorsed the cipher suites, signature schemes, 
or key exchange mechanisms described in this document. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is published for informational 
purposes. 


This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor 
has chosen to publish this document at its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by the RFC Editor are not 
candidates for any level of Internet Standard; see Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and how to provide feedback 


on it may be obtained at https://www.rfc-editor.org/info/rfc9367. 


Copyright Notice 


Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights 
reserved. 
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This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF 
Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this 
document. Please review these documents carefully, as they describe your rights and restrictions 
with respect to this document. 
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1. Introduction 


This document defines four new cipher suites (the TLS13_GOST cipher suites) and seven new 
signature schemes (the TLS13_GOST signature schemes) for the Transport Layer Security (TLS) 
Protocol Version 1.3 that are based on Russian cryptographic standards GOST R 34.12-2015 
[RFC7801], GOST R 34.11-2012 [RFC6986], and GOST R 34.10-2012 [RFC7091]. 


The TLS13_GOST cipher suites (see Section 4) have the following values: 


TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L = {0xC1, 0x03} 
TLS_GOSTR341112_256_WITH_MAGMA_MGM_L = (0xC1, 0x04} 
TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S = (0xC1, 0x05} 
TLS_GOSTR341112_256_WITH_MAGMA_MGM_S = {0xC1, 0x06} 
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Each TLS13_GOST cipher suite specifies a pair (record protection algorithm, hash algorithm) such 
that: 


“Тһе record protection algorithm is the Authenticated Encryption with Associated Data 
(AEAD) algorithm (see Section 4.1.1) based on the GOST R 34.12-2015 block cipher [RFC7801] 
in the Multilinear Galois Mode (MGM) [RFC9058] and the external re-keying approach (see 
[RFC8645]) intended for increasing the lifetime of symmetric keys used to protect records. 


“Тһе hash algorithm is the GOST К 34.11-2012 algorithm [RFC6986]. 


Note: The TLS13_GOST cipher suites are divided into two types: the "_S" (strong) cipher suites and 
the " 1" (light) cipher suites (depending on the key lifetime limitations, see Sections 4.1.2 and 
4.1.3). 


The TLS13 GOST signature schemes have the following values: 


g0str34102012 256a = 0x0709 
g0str34102012 256b - 0x070A 
gostr34102012_256c = 0x070B 
gostr34102012_256d = 0x070C 
gostr34102012_512a = 0x070D 
gostr34102012_512b = 0x070E 
gostr34102012_512c = 0x070F 


Each TLS13_GOST signature scheme specifies a pair (signature algorithm, elliptic curve) such 
that: 


* The signature algorithm is the GOST R 34.10-2012 algorithm [RFC7091]. 
* The elliptic curve is one of the curves defined in Section 5.2. 


This document also specifies the key exchange mechanism with GOST algorithms for the TLS 1.3 
protocol (see Section 6.1). 


Additionally, this document specifies а TLS13_GOST profile of the TLS 1.3 protocol with GOST 
algorithms so that implementers can produce interoperable implementations. It uses 

TLS13 GOST cipher suites, TLS13 GOST signature schemes, and key exchange mechanisms that 
are defined in this document. 


2. Conventions Used in This Document 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD 
NOT", "RECOMMENDED", "NOT RECOMMENDED", "МАУ", and "OPTIONAL" in this document are to 
be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in 
all capitals, as shown here. 
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3. Basic Terms and Definitions 


This document follows the terminology from [RFC8446BIS] for "main secret". 


This document uses the following terms and definitions for the sets and operations on the 
elements of these sets: 


Bt The set of byte strings of length t, t >= 0; for t = 0, the B_t set consists of a single 
empty string of zero length. If A is an element in В 1, then A = (а 1,а 2,..,а б, 
where a_1, a_2,..., a_t are in (0,..., 255). 


B* The set of all byte strings of a finite length (hereinafter referred to as strings) 
including the empty string. 


Ali..j] The string A[i.j] = (a_i, a_{i+1}, ..., a_j) in B_{j-i+1}, where A = (а 1,а 2,...,а 0 іп 
B_t and 1<=i<=j<=t. 

АШ The integer a iin (0,..., 255}, where А = (a_1, a_2, ..., a_t) in B t and 1<=1<={. 

JA] The length of the byte string А in bytes. 

А | С The concatenation of strings A and С both belonging to В"; i.e., a string in B_{|A| 


+ [С |}, where the left substring in В |А | is equal to A and Ше right substring in 
В |С| is equal to С. 


i&j Bitwise AND of integers i and j. 


STR t The transformation that maps an integer i - 25611 * i1*..-256*i ТЕТ) на 
into the byte string STR t(i) = (i 1, ..., i t) in B t (the interpretation of the integer 
as a byte string in big-endian format). 


str t The transformation that maps an integer i - 25681 жі t+..+256*i2+i1 into 
the byte string str t(i) = (i 1,...,i t) in B t (the interpretation of the integer as a 
byte string in little-endian format). 


k The length of the block cipher key in bytes. 

n The length of the block cipher block in bytes. 

IVlen The length of the initialization vector in bytes. 

S The length of the authentication tag in bytes. 

Ei The elliptic curve indicated by the client in "supported, groups" extension. 
Oi The zero point of the elliptic curve E i. 

mi The order of the group of points belonging to the elliptic curve E i. 
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qi The order of the cyclic subgroup of the group of points belonging to the elliptic 
curve E i. 

hi The cofactor of the cyclic subgroup that is equal to m 1/ qi. 

Q sign The public key stored in the endpoint's certificate. 

d sign The private key that corresponds to the Q sign key. 

Pi The point of the elliptic curve E i of the order q i. 


(а СЛ. О CN) The client's ephemeral key pair that consists of the private key and the public 
key corresponding to the elliptic curve E i. 


(а S^ijQ S^i) Тһе server's ephemeral key pair that consists of the private key and the public 
key corresponding to the elliptic curve E i. 


4. Cipher Suite Definition 
This section defines the following four TLS13 GOST cipher suites: 


e CipherSuite TLS5 GOSTR341112 256 WITH. KUZNYECHIK МСМ І. = (0xC1, 0x03}; 
e CipherSuite TLS5 GOSTR341112 256 WITH МАСМА МСМ І, = (0xC1, 0x04}; 
e CipherSuite TLS5 GOSTR341112 256 WITH. KUZNYECHIK МСМ 5 = (0xC1, 0x05}; 
e CipherSuite 115 GOSTR341112 256 WITH МАСМА МСМ 5 = {0xC1, 0x06}. 


Each cipher suite specifies a pair consisting of a record protection algorithm (see Section 4.1) and 
a hash algorithm (Section 4.2). 


4.1. Record Protection Algorithm 


In accordance with Section 5.2 of [RFC8446], the record protection algorithm translates a 
TLSPlaintext structure into a TLSCiphertext structure. If the TLS13_GOST cipher suite is 
negotiated, the encrypted record field of the TLSCiphertext structure MUST be set to the 
AEADEncrypted value computed as follows: 


AEADEncrypted - AEAD-Encrypt(sender record write key, nonce, additional data, plaintext), 
where 


* the AEAD-Encrypt function is defined in Section 4.1.1; 


* the sender record write key is a key derived from sender write key (see Section 7.3 of 
[RFC8446]) using the TLSTREE function defined in Section 4.1.2 and sequence number 
seqnum as follows: 


sender record write key = TLSTREE(sender write key, seqnum); 


* the nonce is a value derived from sequence number seqnum and sender write iv (see 
Section 7.3 of [RFC8446]) in accordance with Section 5.3 of [RFC8446]; 
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* the additional data value is a record header that is generated in accordance with Section 5.2 
of [RFC8446]; 


* the plaintext value is the TLSInnerPlaintext structure encoded in accordance with Section 5.2 
of [RFC8446]. 


Note 1: The AEAD-Encrypt function is exactly the same as the AEAD-Encrypt function defined in 
[RFC8446], such that the key (the first argument) is calculated from sender write key and 
sequence number seqnum for each message separately to support the external re-keying 
approach according to [RFC8645]. 


Note 2: Sequence number is a value in the range 0-SNMAX, where the SNMAX value is defined in 
Section 4.1.3. The SNMAX parameter is specified by a particular TLS13_GOST cipher suite to limit 
an amount of data that can be encrypted under the same traffic key material (sender write key, 
sender write iv). 


The record deprotection algorithm reverses the process of the record protection. In order to 
decrypt and verify a protected record with sequence number seqnum, the algorithm takes 
sender record write key as an input, which is derived from sender write key, nonce, 

additional data, and the AEADEncrypted value. The algorithm outputs the res value that is either 
plaintext or an error indicating that the decryption failed. If а TLS13_GOST cipher suite is 
negotiated, the res value MUST be computed as follows: 


res = AEAD-Decrypt(sender record, write key, nonce, additional data, AEADEncrypted), 
where the AEAD-Decrypt function is as defined in Section 4.1.1. 


Note: The AEAD-Decrypt function is exactly the same as the AEAD-Decrypt function defined in 
[RFC8446], such that the key (the first argument) is calculated from sender write key and 
sequence number seqnum for each message separately to support the external re-keying 
approach according to [RFC8645]. 

4.1.1. AEAD Algorithm 


The AEAD-Encrypt and AEAD-Decrypt functions are defined as follows: 
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| Input: | 
| - encryption key К in В К, | 
| - unique vector nonce іп B IVlen, | 
| - additional authenticated data A in В г, г >= 0, | 
| - plaintext P in B_t, t >= 8. | 
| Output: | 
| - ciphertext C in В (|Р|), | 
| - authentication tag T іп В 5. 


1. MGMnonce = STR_1(nonce[1] 8 @x7f) | nonce[2..IVlen]; | 
| 2. (MGMnonce, А, С, Т) = MGM-Encrypt(K, MGMnonce, А, Р); | 
3. Return С | Т. | 


Input: 

- encryption key К іп В К, 

- unique vector nonce іп B_IVlen, 

- additional authenticated data A in В г, г >= 6, 
= ciphertext С in ВТ, t >= 0, 

- authentication tag T in B_S. 

Output: 

- plaintext Р in В (|С|) or FAIL. 


| 1. MGMnonce = STR_1(nonce[1] & @x7f) | nonce[2..IVlen]; | 
| 2. res' = MGM-Decrypt(K, MGMnonce, А, С, Т); | 
| 3. IF res' = FAIL then return FAIL; 

| 4. IF ге5" = (A, Р) then return Р. 


where 


* the MGM-Encrypt and MGM-Decrypt functions are defined in [RFC9058]; 
* the length of authentication tag Т is equal to п bytes (5 = п); 
* the length of the nonce parameter is equal to п bytes (IVlen = п). 


Cipher suites TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L and 
TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S MUST use Kuznyechik [RFC7801] as a base 
block cipher for the AEAD algorithm. The block length n is 16 bytes (n = 16) and the key length k 
is 32 bytes (k = 32). 


Cipher suites TLS_GOSTR341112_256_WITH_MAGMA_MGM_L and 
TLS_GOSTR341112_256_WITH_MAGMA_MGM_S MUST use Magma [RFC8891] as a base block 
cipher for the AEAD algorithm. The block length n is 8 bytes (n = 8) and the key length k is 32 
bytes (k = 32). 
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4.1.2. TLSTREE 
The TLS13_GOST cipher suites use the TLSTREE function to support the external re-keying 
approach (see [RFC8645]). The TLSTREE function is defined as follows: 


TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR 8(1 & C 1), STR 8G & C 2), STR 8 & 
C 3)), 


where 


“Қ root in В 32; 

eiin (0, 1, ..., 2464 - 1}; 

• КРЕ |(К, Р), j = 1, 2, 3, is the key derivation function defined as follows: 
° KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D), 
° KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D), 
° KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D), 


where the KDF GOSTR3411 2012 256 function is defined in [RFC7836], Kin B 32, Din B 8; 


*C 1, C 2, C_3 are the constants defined by each cipher suite as follows: 


CipherSuites C1 C2 C3 


TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L С 1-0xf800000000000000 
C 2-0xfffffff000000000 
С 3-O0xfFffffffffffe000 


TLS GOSTR341112 256 WITH MAGMA МСМ 1. C 1-0xffe0000000000000 
C 2-0xffffffffc0000000 
С 3-OxfFffffITITIfIf80 


115 GOSTR341112 256 WITH KUZNYECHIK МСМ 5 С 1-O0xffffffffe0000000 
С 2-0xffffffffffff0000 
С З-Ох ЕЕЕ 


TLS GOSTR341112 256 WITH МАСМА МСМ S C 1-0xfffffffffc000000 
С 2-0xffffffffffffe000 
С З-Ох ЕЕЕ 


Table 1 


4.1.3. SNMAX Parameter 


The SNMAX parameter is the maximum number of records encrypted under the same traffic key 
material (sender_write_key and sender_write_iv) and is defined by each cipher suite as follows: 
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CipherSuites SNMAX 
TLS GOSTR341112 256 WITH KUZNYECHIK МСМ L  SNMAX = 2464 - 1 
TLS GOSTR341112 256 WITH MAGMA МОМ І. SNMAX = 2464 - 1 


TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S  SNMAX = 2442-1 


TLS GOSTR341112 256 WITH MAGMA MGM S SNMAX = 2439 - 1 
Table 2 


4.2. Hash Algorithm 


The Hash algorithm is used for the key derivation process (see Section 7.1 of [RFC8446]), Finished 
message calculation (see Section 4.4.4 of [RFC8446]), Transcript-Hash function computation (see 
Section 4.4.1 of [RFC8446]), Pre-Shared Key (PSK) binder value calculation (see Section 4.2.11.2 of 
[RFC8446]), external re-keying approach (see Section 4.1.2), and other purposes. 


If a TLS13_GOST cipher suite is negotiated, the Hash algorithm MUST be the GOST R 34.11-2012 
hash algorithm [RFC6986] with a 32-byte (256-bit) hash value. 


5. Signature Scheme Definition 


This section defines the following seven TLS13_GOST signature schemes: 


enum { 
gostr34102012. 256a(0x0709), 
gostr34102012. 256b(0x0704), 
gostr34102012. 256c(0x070B), 
gostr34102012. 256d(0x070C), 
gostr34102012. 512a(0x070D), 
gostr34102012. 512b(0x070E), 
gostr34102012. 512c(0x070F) 

) SignatureScheme; 


One of the TLS13 GOST signature schemes listed above SHOULD be used with Ше TL$13 GOST 
profile. 


Each signature scheme specifies a pair consisting of the signature algorithm (see Section 5.1) and 
the elliptic curve (see Section 5.2). The procedure to calculate the signature value using 
TLS13 GOST signature schemes is defined in Section 5.3. 


5.1. Signature Algorithm 


Signature algorithms corresponding to the TLS13 GOST signature schemes are defined as 
follows: 
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SignatureScheme Value 


gostr34102012_256a 
gostr34102012_256b 
gostr34102012_256c 
gostr34102012_256d 
gostr34102012_512a 
gostr34102012_512b 


gostr34102012_512c 


Table 3 


5.2. Elliptic Curve 


GOST Cipher Suites for TLS 1.3 


Signature Algorithm 

GOST R 34.10-2012, 32-byte key length 
GOST R 34.10-2012, 32-byte key length 
GOST R 34.10-2012, 32-byte key length 
GOST R 34.10-2012, 32-byte key length 
GOST R 34.10-2012, 64-byte key length 
GOST R 34.10-2012, 64-byte key length 


GOST R 34.10-2012, 64-byte key length 


February 2023 


References 
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RFC 7091 
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Elliptic curves corresponding to the TLS13_GOST signature schemes are defined as follows: 


SignatureScheme Value 


gostr34102012_256a 
gostr34102012_256b 
gostr34102012_256c 
gostr34102012_256d 
gostr34102012_512a 
gostr34102012_512b 


gostr34102012_512c 


Table 4 


5.3. SIGN Function 


If the TLS13_GOST signature scheme is used, the signature value in the CertificateVerify message 
(see Section 6.3.4) MUST be calculated using the SIGN function defined as follows: 
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Curve Identifier Value 
id-tc26-gost-3410-2012-256-paramSetA 
id-GostR3410-2001-CryptoPro-A-ParamSet 
id-GostR3410-2001-CryptoPro-B-ParamSet 
id-GostR3410-2001-CryptoPro-C-ParamSet 
id-tc26-gost-3410-12-512-paramSetA 
id-tc26-gost-3410-12-512-paramSetB 


id-tc26-gost-3410-2012-512-paramSetC 


Informational 


References 
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RFC 4357 
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| Input: | 
| - the sign key d sign: 0 < d sign < а; | 
| - the byte string М іп ВХ. | 
| Output: | 
| - signature value sgn іп В (2*1). | 


| 1. (г, 8) = SIGNGOST(d_sign, М) | 
| 2. Return str. l(r) | str_l(s). | 


where 


*qisthe subgroup order of the group of points of the elliptic curve; 
“115 defined as follows: 
г 1 = 32 for the gostr34102012 256a, gostr34102012 256b, gostr34102012_256c, and 
gostr34102012_256d signature schemes; 


г ] = 64 for the gostr34102012_512a, gostr34102012 512b, and gostr34102012 512c signature 
schemes; 


* SIGNGOST is an algorithm that takes a private key d_sign and a message M as an input and 
returns a pair of integers (r, s) that is calculated during the signature generation process in 
accordance with the GOST R 34.10-2012 signature algorithm (see Section 6.1 of [RFC7091]). 


Note: The signature value sgn is the concatenation of two strings that are byte representations of 
г and s values in the little-endian format. 


6. Key Exchange and Authentication 


The key exchange and authentication process for using the TLS13 GOST profile is defined in 
Sections 6.1, 6.2, and 6.3. 


6.1. Key Exchange 


The TLS13 GOST profile supports three basic key exchange modes that are defined in [RFC8446]: 
Ephemeral Elliptic Curve Diffie-Hellman (ECDHE), PSK-only, and PSK with ECDHE. 


Note: In accordance with [RFC8446], TLS 1.3 also supports key exchange modes based on the 
Diffie-Hellman protocol over finite fields. However, the TLS13_GOST profile MUST use modes 
based on the Diffie-Hellman protocol over elliptic curves. 


In accordance with [RFC8446], PSKs can be divided into two types: 


e internal PSKs that can be established during the previous connection; 
* external PSKs that can be established out of band. 
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If the TLS13_GOST profile is used, PSK-only key exchange mode SHOULD be established via the 
internal PSKs, and external PSKs SHOULD be used only in PSK with ECDHE mode (see more in 
Section 9). 


If the TLS13_GOST profile is used and ECDHE or PSK with ECDHE key exchange mode is used, the 
ECDHE shared secret SHOULD be calculated in accordance with Section 6.1.1 on the basis of one 
of the elliptic curves defined in Section 6.1.2. 


6.1.1. ECDHE Shared Secret Calculation 


If the TLS13_GOST profile is used, the ECDHE shared secret SHOULD be calculated in accordance 
with Sections 6.1.1.1 and 6.1.1.2. The public ephemeral keys used to obtain the ECDHE shared 
secret SHOULD be represented in the format described in Section 6.1.1.3. 


6.1.1.1. ECDHE Shared Secret Calculation on the Client Side 
The client calculates the ECDHE shared secret in accordance with the following steps: 


Step 1. Тһе client chooses from all supported curves E_1, ..., E_R the set of curves E li 1), ..., 
E_{i_r}, 1 <=i_1 <=i_r<=R, where 


e r >= 1 in Ше case of the first ClientHello message; 


e r= 1 іп the case of responding to the HelloRetryRequest message; E_{i_1} 
corresponds to the curve indicated in the "key_share" extension in the 
HelloRetryRequest message. 


Step 2. The client generates ephemeral key pairs (4 СЧі 11,0 САД 1р), ..., (d С^ т), 9 Сі гр 
corresponding to the curves Е {1 1}, ..., E_{i_r}, where for each i in {і 1, ..., i r}: 


“а C^iis chosen from (1, ..., q 1-1} at random; 
0 С^і = а С^і *Р 1. 


Step З. Тһе client sends the ClientHello message specified in accordance with Section 4.1.2 of 
[RFC8446] and Section 6.3.1 that contains: 


• "key share" extension with public ephemeral keys О C^(i 1}, ..., О САЯ гр built in 
accordance with Section 4.2.8 of [RFC8446]; 

e "supported_groups" extension with supported curves E_1, ..., E R built in 
accordance with Section 4.2.7 of [RFC8446]. 


Note: The client MAY send an empty "key. share" extension in the first ClientHello 
message to request a group selection from the server in the HelloRetryRequest 
message and to generate an ephemeral key for the selected group only. The ECDHE 
shared secret may be calculated without sending HelloRetryRequest message if the 
"key. share" extension in the first ClientHello message contains the value 
corresponding to the curve that is selected by the server. 
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Step 4. Ifthe HelloRetryRequest message is received, the client MUST return to Step 1 and 
choose correct parameters in accordance with Section 4.1.2 of [RFC8446]. If the 
ServerHello message is received, the client proceeds to the next step. In other cases, the 
client MUST terminate the connection with Ше "unexpected, message" alert. 


Step 5. Тһе client extracts curve E res and ephemeral key Q S^res, res in (1, ..., R}, from the 
ServerHello message and checks whether Q S^res belongs to E res. If this check fails, 
the client MUST terminate the connection with "handshake failure" alert. 


Step6. Тһе client generates Q^ECDHE: 
Q^ECDHE = (X^ECDHE, Y^ECDHE) = (h res * 4 C^res) * Q S^res. 


Step 7. Тһе client MUST check whether the calculated shared secret Q^ECDHE is not equal to 
the zero point O res. If this check fails, the client MUST terminate the connection with 
"handshake failure" alert. 


Step8. The ECDHE shared secret is the byte representation of the coordinate X^ECDHE of the 
point Q^ECDHE in the little-endian format: 


ECDHE = str (coordinate length) (X^ECDHE), 


where the coordinate length value is defined by the particular elliptic curve (see 
Section 6.1.2). 


6.1.1.2. ECDHE Shared Secret Calculation on Server Side 


Upon receiving the ClientHello message, the server calculates the ECDHE shared secret in 
accordance with the following steps: 


Step 1. Тһе server chooses the curve E res, res in (1, ..., R}, from the list of the curves E 1, ..., 
E_R indicated in the "supported, groups" extension in the ClientHello message and the 
corresponding public ephemeral key Q C^res from the list Q САЯ 1), ..., О СІ г}, 1 <= 
i1«-irc-BR,indicated in the "key share" extension. If the corresponding public 
ephemeral key is not found (res in (1, ..., КИЦ 1, ..., i гр), the server MUST send the 
HelloRetryRequest message with the "key share" extension indicating the selected 
elliptic curve E res and wait for the new ClientHello message. 


Step 2. The server checks whether Q C^res belongs to E res. If this check fails, the server MUST 
terminate the connection with "handshake failure" alert. 


Step 3. Тһе server generates ephemeral key pair (4 S^res, Q S^res) corresponding to E res: 


* d S^res is chosen from (1, ..., q res- 1} at random; 
e Q S^res = 4 S^res "Р res. 
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Step 4. Тһе server sends Ше ServerHello message generated in accordance with Section 4.1.3 of 
[RFC8446] and Section 6.3.1 with the "key_share" extension that contains public 
ephemeral key Q S^res corresponding to Е res. 


Step 5. Тһе server generates Q^ECDHE: 
Q^ECDHE = (X^ECDHE, Y^ECDHE) = (h res “d S^res) * Q C^res. 


Step 6. The server MUST check whether the calculated shared secret Q^ECDHE is not equal to 
the zero point O res. If this check fails, the server MUST abort the handshake with 
"handshake failure" alert. 


Step 7. The ECDHE shared secret is the byte representation of the coordinate X^ECDHE of the 
point Q^ECDHE in the little-endian format: 


ECDHE = str (coordinate length) (X^ECDHE), 


where the coordinate length value is defined by the particular elliptic curve (see 
Section 6.1.2). 


6.1.1.3. Public Ephemeral Key Representation 


This section defines the representation format of the public ephemeral keys generated during the 
ECDHE shared secret calculation (see Sections 6.1.1.1 and 6.1.1.2). 


If the TLS13_GOST profile is used and ECDHE or PSK with ECDHE key exchange mode is used, the 
public ephemeral key Q indicated in the KeyShareEntry.key exchange field MUST contain the 
data defined by the following structure: 


struct ( 
opaque X[coordinate. length] ; 
opaque Y[coordinate. length]; 
) PlainPointRepresentation; 


where X and Y, respectively, contain the byte representations of x and y values of the point О (Q = 
(x, y) in the little-endian format and are specified as follows: 


*X-str (coordinate length) G9); 
e Y = str (coordinate length)(y). 


The coordinate length value is defined by the particular elliptic curve (see Section 6.1.2). 


6.1.2. Values for the TLS Supported Groups Registry 


The "supported groups" extension is used to indicate the set of the elliptic curves supported by 
an endpoint and is defined in Section 4.2.7 of [RFC8446]. This extension is always contained in 
the ClientHello message and optionally in the EncryptedExtensions message. 


This section defines the following seven elliptic curves: 
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enum { 
GC256A(0x22), GC256B(0x23), GC256C(0x24), GC256D(0x25), 
GC512A(0x26), GC512B(0x27), GC512C(0x28) 

} NamedGroup ; 


If the 11.513 GOST profile is used and ECDHE ог PSK with ECDHE key exchange mode is used, one 
of the elliptic curves listed above SHOULD be used. 


Each curve corresponds to the particular identifier and specifies the value of coordinate length 
parameter (see "cl" column) as follows: 


Description Curve Identifier Value cl Reference 
GC256A id-tc26-gost-3410-2012-256-paramSetA 32 RFC 7836 
GC256B id-GostR3410-2001-CryptoPro-A-ParamSet 32 КЕС 4357 
GC256C id-GostR3410-2001-CryptoPro-B-ParamSet 32 RFC 4357 
GC256D id-GostR3410-2001-CryptoPro-C-ParamSet 32 RFC 4357 
GC512A id-tc26-gost-3410-12-512-paramSetA 64 RFC 7836 
GC512B id-tc26-gost-3410-12-512-paramSetB 64 RFC 7836 
СС512С id-tc26-gost-3410-2012-512-paramSetC 64 RFC 7836 
Table 5 


Note: The identifier values and the corresponding elliptic curves are the same as in [RFC9189]. 


6.2. Authentication 


In accordance with [RFC8446], authentication can be performed via a signature with a certificate 
or via a symmetric PSK. The server side is always authenticated; the client side is optionally 
authenticated. 


PSK-based authentication is performed as a side effect of key exchange. If the TLS13_GOST profile 
is used, external PSKs SHOULD be combined only with mutual authentication (see Section 9). 


Certificate-based authentication is performed via Authentication messages and an optional 
CertificateRequest message (sent if client authentication is required). If the TLS13_GOST profile is 
used, the signature schemes used for certificate-based authentication are defined in Section 5 
and Authentication messages are specified in Sections 6.3.3 and 6.3.4. The CertificateRequest 
message is specified in Section 6.3.2. 
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6.3. Handshake Messages 


The TLS13_GOST profile specifies the ClientHello, ServerHello, CertificateRequest, Certificate and 
CertificateVerify handshake messages that are described in further detail below. 


6.3.1. Hello Messages 


The ClientHello message is sent when the client first connects to the server or responds to the 
HelloRetryRequest message and is specified in accordance with Section 4.1.2 of [RFC8446]. 


If the TLS13_GOST profile is used, the ClientHello message MUST meet the following 
requirements: 


“Тһе ClientHello.cipher_suites field MUST contain the values defined in Section 4. 


# If server authentication via a certificate is required, the extension_data field of the 
"signature algorithms" extension MUST contain the values defined in Section 5 that 
correspond to the GOST R 34.10-2012 signature algorithm. 

* If server authentication via a certificate is required and the client uses optional 
"signature algorithms cert" extension, the extension, data field of this extension SHOULD 
contain the values defined in Section 5 that correspond to the GOST R 34.10-2012 signature 
algorithm. 

* If the client wants to establish a TLS 1.3 connection using the ECDHE shared secret, the 
extension data field of the "supported, groups" extension MUST contain the elliptic curve 
identifiers defined in Section 6.1.2. 


The ServerHello message is sent by the server in response to the ClientHello message to negotiate 
an acceptable set of handshake parameters based on the ClientHello message and is specified in 
accordance with Section 4.1.3 of [RFC8446]. 


If the 11.513 GOST profile is used, Ше ServerHello message MUST meet the following 
requirements: 


* The ServerHello.cipher suite field MUST contain one of the values defined in Section 4. 


• If the server decides to establish a TLS 1.3 connection using the ECDHE shared secret, the 
extension data field of the "key share" extension MUST contain the elliptic curve identifier 
and the public ephemeral key that satisfy the following conditions: 


Тһе elliptic curve identifier corresponds to the value that was indicated in Ше 
"supported groups" and the "key share" extensions in the ClientHello message. 
г The elliptic curve identifier is one of the values defined in Section 6.1.2. 


«Тһе public ephemeral key corresponds to the elliptic curve specified by the 
KeyShareEntry.group identifier. 


6.3.2. CertificateRequest 


This message is sent when the server requests client authentication via a certificate and is 
specified in accordance with Section 4.3.2 of [RFC8446]. 
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If the TLS13_GOST profile is used, the CertificateRequest message MUST meet the following 
requirements: 


“Тһе extension_data field of the "signature_algorithms" extension MUST contain only Ше 
values defined in Section 5. 


* If the server uses optional "signature algorithms cert" extension, the extension data field of 
this extension SHOULD contain only the values defined in Section 5. 


6.3.3. Certificate 


This message is sent to convey the endpoint's certificate chain to the peer and is specified in 
accordance with Section 4.4.2 of [RFC8446]. 


If the TLS13_GOST profile is used, the Certificate message MUST meet the following requirements. 


* Each endpoint's certificate provided to the peer MUST be signed using the algorithm that 
corresponds to a signature scheme indicated by the peer in its "signature algorithms cert" 
extension, if present (or in the "signature algorithms" extension, otherwise). 


* The signature algorithm used for signing certificates SHOULD correspond to one of the 
signature schemes defined in Section 5. 


6.3.4. CertificateVerify 


This message is sent to provide explicit proof that the endpoint has the private key 
corresponding to the public key indicated in its certificate and is specified in accordance with 
Section 4.4.3 of [RFC8446]. 


If the TLS13_GOST profile is used, the CertificateVerify message MUST meet the following 
requirements: 


* The CertificateVerify.algorithm field MUST contain the signature scheme identifier that 
corresponds to the value indicated in the peer's "signature algorithms" extension and is one 
of the values defined in Section 5. 


* The CertificateVerify.signature field contains the sgn value that is computed as follows: 
sgn = SIGN(d sign, М), 
where 


» the SIGN function is defined in Section 5.3; 


г d sign is the sender's long-term private key that corresponds to the sender's long-term 
public key Q sign from the sender's certificate; 


» the message M is defined in accordance with Section 4.4.3 of |ВЕС8446). 
7. IANA Considerations 


IANA has added the following values to the "TLS Cipher Suites" registry with a reference to this 
RFC: 
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Value Description DTLS- Recommended 
OK 

OxC1, TLS GOSTR341112 256 WITH, KUZNYECHIK МСМ 1 М N 
0x03 

OxC1, TLS_GOSTR341112_256_WITH_MAGMA_MGM_L N N 
0x04 

OxC1, TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S М N 
0x05 

OxC1, TLS GOSTR341112 256 WITH MAGMA MGM S N N 
0x06 

Table 6 


IANA has added the following values to the "TLS SignatureScheme" registry with a reference to 
this RFC: 


Value Description Recommended 
0x0709 051134102012 256a М 
0x070A  gostr34102012 256b М 
0x070B 051134102012 256с М 
0x070C 051734102012 2564 М 
0x070D  gostr34102012 512a М 
0х070Е 051134102012 512b N 
Ox070F 051134102012 5126 N 


Table 7 


8. Historical Considerations 


In addition to the curve identifier values listed in Table 5, there are some additional identifier 
values that correspond to the signature schemes for historical reasons. They are as follows: 


Description Curve Identifier Value 


g0str34102012 256b id-GostR3410-2001-CryptoPro-XchA-ParamSet, id-tc26- 
gost-3410-2012-256-paramSetB 
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Description 
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Curve Identifier Value 


gostr34102012_256c  id-tc26-gost-3410-2012-256-paramSetC 


gostr34102012_256d id-GostR3410-2001-CryptoPro-XchB-ParamSet, id-tc26- 


Table 8 


gost-3410-2012-256-paramSetD 


The client should be prepared to handle any of them correctly if the corresponding signature 
scheme is included in Ше "signature algorithms" or "signature algorithms cert" extensions. 


9. Security Considerations 


In order to create an efficient and side-channel resistant implementation while using the 
TLSTREE algorithm, the functions КРЕ |, | - 1, 2, 3, SHOULD be called only when necessary (when 
the record sequence number seqnum reaches such a value that seqnum & С | != (seqnum - 1) & 

C j). Otherwise, the previous value should be used. 
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Appendix A. Test Examples 


A.1. Example 1 


A.1.1. Test Case 
Test examples are given for the following instance of the TLS13_GOST profile: 


на 


. Full TLS Handshake is used. 


. ECDHE key exchange mode is used. The elliptic curve GC512C is used for ECDHE shared 
secret calculation. 


N 


oO 


. Authentication is only used on the server side. The signature scheme gost34102012_256b is 
used. 


.ТІ,5 GOSTR341112 256 WITH КО7/МҮЕСНІК МСМ 5 cipher suite is negotiated. 
. Application Data is sent ру the server prior to receiving the Finished message from the client. 
. NewSessionTicket is sent after establishing a secure connection. 


чо тов 


. Nine Application Data records are sent during the operation of the Record protocol. The 
sequence numbers are selected to demonstrate the operation of the TLSTREE function. 


8. Alert protocol is used for closure of the connection. 
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A.1.2. Test Examples 


ClientHello message: 

msg_type: 

length: 

body: 
legacy_version: 
random: 


legacy_session_id: 


GOST Cipher Suites for TLS 1.3 


81 
0000DE 


0303 
03030303030303030303030303030303 
03030303030303030303030303030303 


length: 00 

vector: == 
cipher_suites: 

length: 0002 

vector: 

CipherSuite: C105 

compression. methods: 
length: 01 
vector: 

CompressionMethod: 00 

extensions: 
length: 8083 
vector: 

Extension: /* supported_groups */ 
extension type: 000A 
extension. data: 

length: 0004 
vector: 
named. group. list: 
length: 0002 
vector: 
/* GC512C */ 
0028 

Extension: /* signature algorithms */ 
extension type:  000D 
extension. data: 

length: 0010 
vector: 
supported. signature algorithms: 
length: 900Е 
vector: 


/* gost34102012256a */ 


0709 


/* gost34102012256b */ 


070A 


/* gost34102012256c */ 


070B 


/* gost34102012256d */ 


070С 


/* gost34102012512a */ 


0700 


/* gost34102012512b */ 


070E 


/* gost34102012512c */ 
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0000: 
0010: 
0020: 
0030: 
0040: 
0050: 
0060: 
0070: 
0080: 
0090: 
00А0: 
00В0: 
00С0: 
0000: 
00Е0: 


СО$Т Сірһег Suites for ТІ,5 1.3 


070F 


Extension: /* supported versions */ 


extension type: 002В 
extension. data: 


length: 0003 
vector: 
versions: 
length: 02 
vector: 
0304 


Extension: /* psk. key exchange.modes */ 


extension type: 0020 
extension. data: 


length: 0002 
vector: 
ke. modes: 
length: 01 
vector: 
/* psk ke */ 
00 


Extension: /% key_share */ 


extension_type: 0033 
extension_data: 


01 
93 
93 
0A 
0A 
03 
00 
84 
В5 
33 
А1 
В6 
DO 
2E 
AF 


length: 0086 
vector: 
length: 0084 
vector: 
group: 0028 


key_exchange: 

length: 0080 

vector: 
@5EEBDF3DDC1D2F5F3822433241284E7 
7641487938ЕА88721Ғ26203Е9792В5СВ 
97EB70EF02E8F72B7491DA4F2CFDC332A 
DF7F1778E854A88DDC2113FEC527A151 
71404СВ0С573793ЗА7АЕҒ9ВВСА486В6В0 
46B2149B46F4332903E5B7C438ADDO05E 
185EFBF45557475A8CCBF6ACED1A2EB4 
16F916729D7CEF9CBD8334989304AFAE 


00 00 DE 03 03 03 03 03 03 03 03 03 03 03 03 
03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 
03 03 03 03 03 00 00 02 C1 05 01 00 00 B3 00 
00 04 00 02 00 28 ӨӨ Өр 00 10 ӨӨ OE 07 09 07 
07 ӨВ 07 OC 07 Өр 07 BE 07 ОҒ 00 2B 00 03 02 
04 00 2D 00 02 01 00 00 33 00 86 00 84 00 28 
80 05 EE BD F3 DD C1 D2 F5 F3 82 24 33 24 12 
E7 76 41 48 79 38 EA 88 72 1F 26 20 ЗЕ 97 92 
CB 97 EB 70 EF 02 E8 F7 2B 74 91 D4 F2 CF DC 
2A DF 7F 17 78 ЕВ 54 АВ 8D DC 21 13 FE C5 27 
51 71 АӨ 4C BO C5 73 79 ЗА 7А EF 9B ВС А4 86 
BO 46 B2 14 9B 46 РА 33 29 03 E5 B7 C4 38 AD 
5E 18 5E FB F4 55 57 47 5A 8C CB F6 AC ED 1A 
B4 16 F9 16 72 9D 7C EF 9C BD 83 34 98 93 04 
AE 


Record layer message: 


type: 
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legacy_record_version: 
length: 
fragment: 
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8301 

00Е2 

010000DE030303030303030303030303 
03030303030303030303030303030303 
030303030303000002C105010000B300 
0A000400020028000D0010000E070907 
0A070B070C070D070E070F002B000302 
0304002D000201000033008600840028 
008005EEBDF3DDC1D2F5F38224332412 
84E77641487938EA88721F26203E9792 
B5CB97EB70EF02E8F72B7491DAF2CFDC 
332ADF7F1778E854A88DDC2113FEC527 
A15171A404CB0C573793A7AEF9BBCA486 
B6B046B2149B46F4332903E5B7C438AD 
DO5E185EFBF45557475A8CCBF6ACED1A 
2EBA16F916729D7CEF9CBD8334989304 
AFAE 


01 00 00 DE 03 03 03 03 03 03 03 
03 03 03 03 03 03 03 03 03 03 03 
03 03 03 03 03 03 00 00 02 C1 05 
OA 00 04 00 02 00 28 00 BD өө 19 
0A 07 0B 07 ӨС 07 OD 07 ӨЕ 07 OF 
03 04 00 2D 00 02 01 00 00 33 00 
00 80 05 EE BD F3 DD C1 D2 F5 F3 
84 E7 76 41 48 79 38 EA 88 72 1F 
BS СВ 97 ЕВ 70 EF 02 ЕВ F7 2B 74 


00090: 91 D4 F2 CF DC 33 2A DF 7F 17 78 E8 54 A8 8D DC 
000A0: ЛИЗ ЕЕЗ657 27 7A11751074105A0:14€ 1B09653731 79 SAX 7A 
000В0: ЕЕ ОВ ВС А4 86 В6 Bo 46 В2 14 9В 46 F4 33 29 ӨЗ 
00000: E5 В7 C4 38 AD D@ БЕ 18 БЕ ЕВ F4 55 57 47 5A 8С 
000Е0: CB F6 АС ED 1A 2E ВА 16 F9 16 72 9D 7C EF 9C BD 
000Ғ0: 83 34 98 93 04 АҒ АЕ 
сезу чә ә сасыр нуз aab ісікке РАДЕ уол сүт КЕЕ 
ServerHello message: 
msg_type: 02 
length: 900086 
роду: 

legacy_version: 0303 

random: 838383838383 83 83 8383 838383838383 


838383838383 83 83 83 838383838383 83 


legacy_session_id: 


length: 90 
vector: -- 
cipher_suite: 
CipherSuite: C105 


compression. method: 
CompressionMethod: 00 
extensions: 
length: 00 
vector: 


8E 


Extension: /* supported_versions */ 


extension_type: 00 
extension_data: 
length: 90 
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vector: 
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selected_version: 


Extension: /* key_ 


extension_type: 
extension_data: 
length: 
vector: 
group: 


0304 
share */ 
0033 
0084 


0028 


Кеу. ехсһапде: 


length: 
vector: 


00000: 02 00 00 В6 03 
00010: 83 83 83 83 83 
00020: 83 83 83 83 83 
00030: 03 04 00 33 00 
00040: 35 А1 С4 21 16 
00050: 6E 88 ЕС 40 61 
00060: В4 ЕЕ 75 7Е 74 
00070: ЕЗ Ғ9 А5 51 8D 
00080: 3D ЕС 2С 74 36 
00090: 11 63 Е9 ДЕ АӨ 
000А0: FD C5 ЕС C2 В2 
80088: Ед 74 81 10 28 


Record layer message: 
type: 
legacy_record_version: 
length: 

fragment: 


00000: 16 03 03 00 ВА 
00010: 83 83 83 83 83 
00020: 83 83 83 83 83 


0080 


2F3C663FE74735A1C421160DF0F43266 
185FD30B6E5D6E88FC4061FAEACAB338 
B10A1BD20CB0B4EE757E74A0027DA409F 
E937F01633A1E3F9A5518DEFDOF89F9D 
3D9F6CC651413DEC2C74366D83C47EE1 
рЕ4Е421Е65С01163Е94ЕАВС2Е19Е045р 
35558B93 7D9BFDC5ECC2B2A21B4EC3D5 
3B29579A8FD5E074811028FBCF17994F 


03 83 83 83 83 83 83 83 83 83 83 
83 83 83 83 83 83 83 83 83 83 83 
83 00 C1 05 00 00 8E 00 2B 00 02 
84 00 28 00 80 2F 3C 66 3F E7 47 
Өр Ед РА 32 66 18 БР D3 ӨВ 6E 50 
FA EA CA B3 38 B1 0A 1B D2 0C BO 


Ад 02 7D 40 9F Е9 37 Ед 16 33 А1 


EF DO F8 9F 9D 3D 9F 6C C6 51 41 
6D 83 CA 7E ЕТ DE 4E 42 1F 65 CD 


C2 E1 9E D4 5D 35 55 8B 93 7D 9B 
A2 1B 4E СЗ 05 ЗВ 29 57 9A ВЕ 05 


FB CF 17 99 4F 


16 

0303 

00BA 
020000B6030383838383838383838383 
83838383838383838383838383838383 
83838383838300C10500008E002B0002 
030400330084002800802F3C663FE747 
35A1C421160DF0F43266185FD30B6E5D 
6E88FCA061FAEACAB338B10A1BD20CBO 
B4EE757E74A40027D409FE937F016334A1 
ES3F9A5518DEFDOF89F9D3D9F6CC65141 
3DEC2C74366D83C47EE1DE4E421F65CD 
1163Е94ЕА0С2Е19Е045035558В93709В 
FDC5ECC2B2A21B4EC3D53B29579A8FD5 
E074811028FBCF17994F 


02 00 00 B6 03 03 83 83 83 83 83 


83 83 83 83 83 83 83 83 83 83 83 
83 83 83 83 83 83 00 C1 05 00 00 


00030: 8bE 00 2B 00 02 
00040: 3C 66 3F E7 47 
00050: 5F D3 0B 6E 5D 
00060: 0A 1B D2 ӨС BO 
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00070: 37 Ед 16 33 АТ ЕЗ Ғ9 А5 51 80 ЕЕ 00 
00080: 9F 6C С6 51 41 3D ЕС 2С 74 36 6D 83 
00090: 4E 42 ТЕ 65 CD 11 63 E9 4E A0 C2 ЕТ 
000А0: 55 8B 93 7D 9B FD C5 ЕС С2 В2 А2 1B 
000В0: 29 57 9А ВЕ 05 Ед 74 81 10 28 ЕВ СЕ 


ыыы ыы ек ы ат Степа ест сок ы а с 


00000: 04 04 04 04 04 04 04 04 04 04 04 04 
00010: 04 04 04 04 04 04 04 04 04 04 04 04 
00020: 04 04 04 04 04 04 04 04 04 04 04 04 
00030: 04 04 04 04 04 04 04 04 04 04 04 04 


0 5Хгев: 

00000: 2ES3086613ETEZ7247535 Al СА 21 slo ®0[) 
00010: 18 5F D3 9В 6E 50 6E 88 ЕС 40 61 FA 
00020: B1 0A 1B 02 ӨС BO ВА ЕЕ 75 7E 74 АӨ 
00030: Е9 37 Ед 16 33 АТ ЕЗ Ғ9 А5 51 8D EF 
00040: ЗЮ ОЕ Кб Об ТАЛЕ ЗВ ЕС 26: 727 36: 6р 
00050: DE 4Е 42 1F 65 CD 11 63 Е9 ДЕ А0 C2 
00060: 35 55 88 93 7D 9B FD C5 EC C2 В2 А2 
00070: 3B 29 57 9A 8F D5 Ед 74 81 10 28 ЕВ 


ЕСОНЕ: 

00000: 4D Е6 00 21 EA ЗЕ В9 22 00 14 64 23 
00010: CC EB C4 3B C5 89 DB 79 B8 31 А4 7D 
00020: DD 03 40 БА 1B 79 76 В6 23 DC АА 69 
00030: 6E 7E 41 74 38 5Е 86 26 ЕТ 21 B5 99 


оаа ааа А ті іні at SenVeh аа 


00000: AA 3C А4 F4 AS 0A СО 5B 37 42 B1 35 
00010: 2A EA F5 E1 85 30 1D EC 83 2E 77 BA 
00020: 84 84 84 84 84 84 84 84 84 84 84 84 
00030: 84 84 84 84 84 84 84 84 84 84 84 84 


0 C^res: 

00000: 05 EE BD F3 DD C1 D2 F5 F3 82 24 33 
00010: 76 41 48 79 38 EA 88 72 1F 26 20 3E 
00020: 97 EB 70 EF 02 E8 F7 2B 74 91 D4 F2 
00030: DESZESTZSZ8S9E8T54 A858DXDG321/01353EE 
00040: 71 да 4C BO C5 73 79 ЗА 7А EF 9B BC 
00050: 46 B2 14 9B 46 F4 33 29 03 E5 B7 C4 
00060: 18 5E FB F4 55 57 47 5A 8C CB F6 AC 
00070: 16 F9 16 72 9D 7C EF 9C BD 83 34 98 


ЕСОНЕ: 

00000: 4D Е6 00 21 EA ЗЕ В9 22 00 14 64 23 
00010: CC EB C4 3B C5 89 DB 79 B8 31 А4 7D 
00020: DD 03 40 5A 1B 79 76 B6 23 DC АА 69 
00030: 6E 7E 41 74 38 БЕР 86 26 ЕТ 21 B5 99 


EncryptedExtensions message: 
msg_type: 98 
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ВЕС 9367 СО$Т Сірпег Suites for TLS 1.3 February 2023 
length: 000002 
роду: 
extensions: 
length: 0000 
vector: == 
00000: 08 00 00 02 00 00 
Record payload protection: 
EarlySecret = HKDF-Extract(Salt: 04256, IKM: 0^256): 
00000: FB DE FB E5 27 FE ҒА 66 БА АВ 92 77 А2 16 3B 83 
80018: 43 08 4F D1 91 C4 60 66 26 OF AC 6F D1 43 6С 72 
Derived #0 = Derive-Secret(EarlySecret, "derived", "") = 
HKDF-Expand-Label(EarlySecret, "derived", "", 32): 
00000: DB C3 C8 26 D8 77 АЗ B7 D2 D2 45 3D BF DC 6C FB 
00018: FB 11 51 ВЗ E8 4F @C 8F 26 01 1D 8D 5B F3 ED F7 
HandshakeSecret = HKDF-Extract(Salt: Derived #0, ТКМ: ECDHE): 
00000: 44 24 БЕ 2C 43 32 D1 F7 8B ОҒ 8D 16 F4 03 ЕВ 69 
00010: ED 2А 40 53 84 7С DC 39 ҒА 8B 3D 29 74 F7 45 E7 
НМ1 = (ClientHello, ServerHello) 
THI = Transcript-Hash(HM1) : 
80008: 99 3B А7 22 12 4A ЕЗ СВ FD 47 71 E7 FA ЕЗ 2A C1 
00010: | D0 Е9 27 8C F7 84 ЗЕ CB Сб 20 ЕТ АӨ 08 5A 87 А1 
server_handshake_traffic_secret (SHTS): 
SHTS = Derive-Secret(HandshakeSecret, "s hs traffic", HM1) = 
HKDF-Expand-Label(HandshakeSecret, "5 hs traffic", THI, 32): 
00000: 70 A5 F2 46 3D F6 0D BA А2 36 8B 67 FD 45 AE FF 
00010: 7С ЛА ӨВ А4 2D 8A BD 72 41 БЕ CD 10 94 Е9 EF 54 
server_write_key_hs = HKDF-Expand-Label(SHTS, "key", "", 32): 
80008: ЕТ 37 64 В5 4B 9E 1B 47 D4 33 98 D6 D2 16 DF 24 
80018: C2 89 АЗ 96 АВ 6C 5B 52 4B ВВ 9C 06 F3 9Е EF 01 
server_write_iv_hs = HKDF-Expand-Label(SHTS, "їм", "", 16): 
00000: 69 69 FF АА А4 52 52 81 EE BB ЕВ 4C BD ОВ 64 OE 
server. record write key = TLSTREE(server_write_key_hs, 0): 
00000: 56 EE 18 13 72 72 49 C9 DC DF 35 13 78 7E DB 93 
00010: DF 62 C6 ТЕ E7 B1 26 C5 OF 26 СО AA AF АЕ 00 ЕТ 
seqnum: 
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
nonce: 
00000: 69 69 FF АА А4 52 52 81 EE BB EB 4C BD ОВ 64 ВЕ 
additional. data: 
00000: 17 03 03 00 17 
TLSInnerPlaintext: 
00000: 08 00 00 02 00 00 16 
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TLSCipher 
00000: 
00010: 


Record layer message: 


type: 


legacy_record_version: 


length: 
encrypted_r 


тех: 


17 03 03 00 17 94 ВЕ 50 2С 75 ЗА Е5 РЕ ВО 20 01 


GOST Cipher Suites for TLS 1.3 


2C C9 ЕЗ ЕВ 24 A3 79 84 1E 02 АВ ВЕ 


ecord: 


17 

0303 

0017 
940E5D2C753AESFEBD20012CC9E3EB24 
A379841E02ABBE 


00000: 17 03 03 00 17 94 OE 5D 2C 75 3A E5 FE BD 20 01 
00010: 2C C9 E3 EB 24 АЗ 79 84 1E 02 АВ ВЕ 


Certificate 
msg. type: 
length: 
body: 


message: 


OB 
000151 


certificate. request, context: 


length: 
vector: 
certifica 
length: 
vector: 
ASN.1 

len 

vec 


extensions: 


00000: OB 
00010: 81 
00020: 85 
00030: 04 
00040: 2E 


Smyshlyaev, et al. 


te list: 


Cert: 
gth: 
ЕО: 


length: 
vector: 


00 01 51 
Е2 А0 ӨЗ 
03 07 01 
03 13 10 
63 6F 6D 


00 


000140 


000148 
308201443081F2A00302010202023039 
300A06082A85030701010302301B3119 
301706035504031310676F73742E6578 
616D706C652E636F6D301E170D323030 
3232383131303833375A170D33303032 
32353131303833375A301B3119301706 
035504031310676F73742E6578616D70 
6C652E636F6D305E3017060824850307 
01010101300В06092485030701020101 
020343000440Ғ383СЕЕ83048В4ЕВ14С7 
1A7F6DE44A37CE11A6AC1750F1CFB8DA 
D8A38CCDD8FD06656F7CFC075F4083C3 
716221478F1EE24C6B1B70CCE3C72AFD 
2ACE65C775BCA321301F301D0603551D 
0E04160414F330FA7166DF095AF3A073 
BC3B8bEA356D7DFAC71300A06082A8503 
0701010302034100AB2EDA23F49B4862 
3BO0CFF5906B7DD3C23B473570B296A08 
71DD15EF9A33201B97904A5CFA6C931C 
5473DCOC5A5F2FBB2E50CF587AE27C4D 
8Е52ЕВ801890008В 


0000 


00 00 01 4р 00 01 48 30 82 01 44 30 
02 01 02 02 02 30 39 30 BA 06 08 2А 
01 03 02 30 1В 31 19 30 17 06 03 55 
67 6F 73 74 2E 65 78 61 6D 70 6C 65 
30 ТЕ 17 00 32 30 30 32 32 38 31 31 
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00050: за 38 33 37 
00060: 38 33 37 5A 
00070: 10 67 6F 73 
00080: 60 30 БЕ 30 
00090: OB 06 09 2A 
000A0: 40 F3 83 CE 
000В0: 37 СЕ 11 А6 
000С0: Ер 06 65 6Ғ 
00000: 1E Е2 4С 6B 
000Е0: ВС АЗ 21 30 
000Ғ0: ЕЗ 30 ҒА 71 
00100: 07 ОЕ АС 71 
00110: 03 41 00 АВ 
00120: B7 DD ЗС 23 
00130: 33 20 1В 97 
00140: БЕ 2Ғ ВВ 2Е 
00150: 9D D@ 8B 00 


5A 
30 
74 
17 
85 
E8 
AC 
7C 
1B 
1F 
66 
30 
2Е 
В4 
90 
50 
80 


Record payload protection: 


server_record_write_key 


00808: 56 ЕЕ 18 13 72 
00010: DF 62 C6 ТЕ E7 
seqnum: 

00808: 00 00 00 00 00 
попсе: 

00000: 69 69 ЕҒ АА А4 
additional_data: 

00000: 17 03 03 01 66 
TLSInnerPlaintext: 
00808: ов 00 01 51 00 
00010: 81 Е2 А0 03 02 
00020: 85 03 07 01 01 
00030: 04 03 13 10 67 
00040: 2Е 63 6F 6D 30 
00050: 30:38:33: 3 БА 
00868: 38 33 37 5A 30 
00070: 10 67 6Е 73 74 
00080: 60 30 БЕ 30 17 
00090: ОВ 06 09 2А 85 
000А0: 40 ЕЗ 83 СЕ Е8 
008088: SIE NANGING 
000С0: FD 06 65 6F 7С 
00000: 1E Е2 4C 6B 1B 
000Е0: ВС АЗ 21 30 1F 
000F0: F3 30 FA 71 66 
00100: D7 DF AC 71 30 
00110: 03 41 00 AB 2E 
00120: B7 DD 3C 23 B4 
00130: 33 20 1B 97 90 
00140: БЕ 2F BB 2E 50 
00150: 9D па 8B да 00 


Record layer message 
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ор 
31 
65 
08 
07 
48 
50 
07 
CC 
1D 
09 
06 
23 
57 
5С 
58 


з TLSTREE(server_write_key_hs, 1): 


33 
19 
78 
2А 
01 
В4 
F1 
5F 
E3 
06 
5A 
98 
F4 
QB 
FA 
7A 


30 
30 
61 
85 
82 
ЕВ 
СЕ 
40 
C7 
03 
ЕЗ 
2А 
9B 
29 
6с 
Е2 


30 
17 
6р 
93 
01 
14 
B8 
83 
2A 
55 
АӨ 
85 
48 
6A 
93 
7C 


32 
96 
79 
07 
01 
C7 
DA 
C3 
FD 
1D 
73 
03 
62 
08 
1С 
40 


32 
83 
6с 
01 
02 
1А 
08 
71 
2А 
дЕ 
BC 
07 
3B 
71 
54 
8E 


35 
55 
65 
81 
83 
ТЕ 
АЗ 
62 
СЕ 
04 
3B 
01 
ас 
DD 
73 
52 


31 
84 
2E 
81 
43 
6р 
8С 
21 
65 
16 
ЗЕ 
81 
ЕЕ 
15 
DC 
EB 


31 
93 
63 
91 
00 
Е4 
CD 
47 
C7 
04 
АЗ 
93 
59 
ЕР 
ес 
80 


72 49 C9 DC DF 35 13 78 7Е 
В1 26 С5 ОҒ 26 СО AA AF АЕ 


90 


52 


90 
01 
93 
бЕ 
ШЕ 
17 
1В 
2E 
06 
03 
30 
ЦЕЛ 
ЕС 
70 
30 
DF 
0А 
ОА 
73 
4А 
СЕ 
16 


00 


52 


81 
82 
02 
73 
17 
Өр 
31 
65 
08 
07 
48 
50 
07 
сс 
10 
09 
96 
23 
57 
5С 
58 


00 


81 


4р 
82 
30 
74 
др 
33 
19 
78 
2А 
81 
B4 
F1 
5F 
E3 
06 
БА 
88 
F4 
0B 
FA 
7A 


00 


EE 


00 
02 
1B 
2E 
32 
30 
30 
61 
85 
02 
EB 
CF 
40 
C7 
03 
ES 
2A 
9B 
29 
6C 
Е? 


00 


ВВ 


01 
30 
31 
65 
30 
30 
17 
6D 
93 
01 
14 
B8 
83 
2A 
55 
АӨ 
85 
48 
бА 
93 
7С 


00 


EB 


48 
39 
19 
78 
30 
32 
06 
70 
87 
81 
С7 
DA 
СЗ 
Ер 
1D 
73 
83 
62 
88 
1С 
4р 


00 


4С 


30 
30 
30 
61 
32 
32 
93 
6с 
01 
82 
1А 
08 
Al 
2A 
дЕ 
ВС 
07 
3B 
71 
54 
8E 
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00 


BD 


82 
0A 
17 
6р 
32 
35 
55 
65 
01 
93 
ТЕ 
АЗ 
62 
СЕ 
04 
3B 
01 
ес 
DD 
УЗ 
52 


00 


OB 


01 
06 
96 
70 
38 
31 
84 
2E 
01 
43 
6р 
8С 
21 
65 
16 
8Е 
01 
ЕЕ 
15 
DC 
EB 


30 
13 
бЕ 
30 
04 
4A 
D8 
8F 
79 
14 
56 
02 
96 
9А 
5А 
18 


ОВ 
00 


00 


64 


44 
08 
03 
6с 
31 
31 
83 
63 
81 
00 
E4 
CD 
47 
C7 
04 
АЗ 
83 
59 
ЕР 
ас 
80 


93 
ЕЛ 


01 


QF 


30 
2А 
55 
65 
31 
30 
ТО 
6F 
30 
04 
4А 
08 
8F 
75 
14 
56 
82 
96 
9А 
БА 
18 
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type: 17 

legacy_record_version: 0303 

length: 0166 

encrypted_record: F57944FE9A599A76E7FE9C26E3FCE5BB 


AC4DDCF68EF2E77624E33E80B6743E39 
10502EE419A219B3BB6A1712D15458BB 
897D3DAC7A48769945C89237DFB86620 
CC31C456B4374B075905E42AB5333742 
3463819982DC6D76A067CAFD83BD3E47 
9CD9B7FD2926A5A63B1E88B1525DB976 
C7F409190F955AE9F0AC5F976A471F23 
675DEB9B24E162D24F494ECDC483A070 
7129F3BD17D0FAC4944F2B3BF 140D616 
D654709297495B23898893B211505856 
EEC1A96BCADCF78A016798E5500D662C 
54A74BDF6A7F300AC9B72299BAF15F6F 
449F396CE1D0C9243CBC1C86BECD5CAB 
BFDF50197B7AFF4BE903D7E3311B729B 
C32D09D2DODCE06622985AE037DC2F 87 
СВ0С492Ғ205106В259СС86Е227СС8338 
C1DF6C63576B17DB9655FD255F156E1F 
4F767FAFB74471731E4225256818DE94 
64218263D7CF7B87EB5222E76DE6C951 
E462CCCCC53E06387BBAFEDEFD34B9C1 
3ABAEE3D49057CD2672F852A5F692408 
29B92341CDC9 


TLSCiphertext: 

00000: 17 03 03 01 66 F5 79 44 FE 9A 59 9A 76 E7 ЕЕ 9С 
00010: 26 ЕЗ ЕС E5 ВВ АС 4D DC F6 8Е F2 E7 76 24 ЕЗ ЗЕ 
00020: 80 B6 74 ЗЕ 39 10 50 2Е E4 19 А2 19 ВЗ ВВ 6A 17 
00030: 12 D1 54 58 ВВ 89 7D 3D АС 7А 48 76 99 45 C8 92 
00040: 37 DF В8 66 20 СС 31 C4 56 ВА 37 4B 07 59 05 E4 
00050: 2A B5 33 37 42 34 63 81 99 82 DC 6D 76 А0 67 C4 
00060: FD 83 BD ЗЕ 47 9С D9 В7 FD 29 26 А5 А6 ЗВ ЛЕ 88 
00070: B1 52 5D B9 76 C7 F4 09 19 ӨЕ 95 БА E9 FO АС 5F 
00080: 97 6A 47 1F 23 67 5D ЕВ 9B 24 E1 62 D2 4F 49 4E 
00090: CD C4 83 А0 70 71 29 ЕЗ BD 17 DO FA C4 94 ДАЕ 2B 
000A0: 3B F1 40 D6 16 D6 54 70 92 97 49 5B 23 89 88 93 
80088: В2 11 50 58 56 EE C1 А9 6B C4 DC F7 8A 01 67 98 
000С0: Е5 50 @D 66 2С 54 А7 4B DF 6A 7Ғ ЗӨ ВА СО В7 22 
00000: 99 B4 F1 БЕ 6F 44 9Ғ 39 6C ЕТ 00 C9 24 3C BC 1C 
000Е0: 86 BE CD 5С АВ BF DF 50 19 7B 7A FF АВ Е9 03 07 
000Ғ0: ЕЗ 31 1B 72 9B СЗ 2D 09 02 D@ DC Ед 66 22 98 БА 
00100: EO 37 DC 2F 87 CB 0C 49 2Ғ 2D 51 06 B2 59 СС 86 
00110: Е2 27 СС 83 38 C1 DF 6C 63 57 6B 17 DB 96 55 FD 
00120: 25 БЕ 15 6E ТЕ ДАЕ 76 7Ғ АҒ B7 44 71 73 1E 42 25 
00130: 25 68 18 DE 94 64 21 82 63 D7 СЕ 7B 87 ЕВ 52 22 
00140: Е7 6D E6 C9 51 Е4 62 CC CC C5 ЗЕ 06 38 7B В4 FE 
00150: DE FD 34 B9 C1 ЗА ВА EE 3D 49 05 7С D2 67 2F 85 
00160: 2А БЕ 69 24 08 29 B9 23 41 CD C9 


HMCertificateVerify = (ClientHello, ServerHello, 
EncryptedExtensions, Certificate) 


Transcript-Hash(HMCertificateVerify) : 
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00000: 
00010: 


СО$Т Сірһег Suites for ТІ,5 1.3 


E@ СС 4B C1 4B ЕС 5D 13 19 2С DC 66 22 ВА FD 
67 6A 1B 50 Е4 56 83 ОВ В5 Ед 7Е 01 21 22 73 


К (random for signature algorithm) : 


00000: 
00010: 


sgn: 


00000: 
00010: 
00020: 
00030: 


85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 
85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 


A@ AA 13 91 5С 5B 80 C6 02 Е2 FD 85 80 АҒ 99 
77 15 97 AD 37 85 7A 06 BC 2A 9D 7B С5 FE ВЕ 
7C 72 94 BA А2 ЗС F6 9D 03 E4 71 0B 07 08 13 
AC 59 6B C1 58 E7 56 BD 37 1C 44 2E 95 22 DE 


CertificateVerify message: 


msg_type: 


length: 
body: 


algorithm: 


signature: 
length: 
vector: 


00000: 
00010: 
00020: 
00030: 
00040: 


OF 
82 
BC 
03 
37 


A0AA13915C5B80C602E2FD85804F992 
771597AD37857AD6BC2A9D7BC5FEBEC 
7C7294BAA23CF69D03E4710BD70813F 
AC596BC158E756BD371C442E9522DE8 


00 00 44 07 0A 00 40 AO AA 13 91 5C 5B 80 C6 
E2 FD 85 80 4F 99 2C 77 15 97 AD 37 85 7A D6 
2A 9D 7B C5 FE BE C3 7C 72 94 BA A2 3C F6 9D 
E4 71 0B D7 08 13 FD AC 59 6B C1 58 E7 56 BD 
1C 44 2E 95 22 DE 87 


Record payload protection: 


server. record write key = TLSTREE(server. write. key. hs, 


00000: 
00010: 


seqnum: 
00000: 


nonce: 
00000: 


56 EE 18 13 72 72 49 C9 DC DF 35 13 78 7E DB 
DF 62 C6 1E E7 B1 26 C5 OF 26 CO AA AF AE 00 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


69 69 FF AA A4 52 52 81 EE BB EB 4C BD 0B 64 


additional. data: 


00000: 17 03 03 00 59 
TLSInnerPlaintext: 
00000: OF 00 00 44 07 OA 00 40 AO AA 13 91 5C 5B 80 
00010: 02 E2 FD 85 80 4F 99 2C 77 15 97 AD 37 85 7A 
00020: BC 2A 9D 7B C5 FE BE C3 7C 72 94 BA A2 3C F6 
00030: 03 EA 71 0B D7 08 13 FD AC 59 6B C1 58 E7 56 
00040: 37 1C 44 2E 95 22 DE 87 16 

Record layer message: 

type: 17 

legacy. record. version: 0303 

length: 0059 
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encrypted_record: 


TLSCiphertext: 
00000: 17 03 03 
00010: 9Е 02 А6 
00020 53 5С 6C 
00030 60 59 СЕ 
00040 CF 00 9E 
00050 07 14 6F 


server finished key 
00000: 
00010: 


HMFinished 


HKDF-Expand-Label(SHTS, 
53 F1 СО 38 ВЕ ВА 70 СО ВС А0 DD 21 А0 30 F2 38 
1C 34 37 CD ӨЕ 7E СО Зр ВА 96 БЕ 25 63 2D D7 9A 
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52631D5BFDF48254BDFB5F9E02A6A527 
0163BCE1E0D818E8D74176535C6CDD25 
2DE065AE77984A65ADBA036D59CF45B9 
A0047BABCCD0B28044D3A4BCFDO9E6E46 
27044B26FE5CA734FCB08607146F41A8 
71C3F95384B48ADABC 


52 
01 
2D 


63 
63 
EO 
04 


1D 
BC 
65 


5B 
E1 
AE 
AB 
26 
53 


FD 
Ед 
77 
CC 
РЕ 
84 


F4 
D8 
98 
DO 
5С 
B4 


"finished", 323: 


(ClientHello, ServerHello, EncryptedExtensions 


Certificate, CertificateVerify) 


Transcript-Hash(HMFinished): 


00000: 
00010: 


FinishedHash = 


03 EC 9B 1D ОВ 37 41 42 45 72 BA C9 DF ЗА A5 2C 
03 EF E9 Е9 58 07 69 43 AF D8 58 19 BC 60 2F 46 


HMAC (зегуег. finished. key,Transcript-Hash(HMFinished)): 


00000: 
00010: 


Finished message: 

msg_type: 

length: 

роду: 
verify_data: 


00000: 
00010: 


00020: 45 В6 Ед 31 


Ед ВА АЗ 36 14 Ед 69 69 7Е 40 FA BO 71 В9 72 57 
73 F8 FE 1A 32 6A 66 2D ОҒ 52 30 9B 45 B6 Ед 31 


14 
000020 


E0BAA33614E069697E4DFAB071B97257 
73F8FE1A326A662D0F52309B45B6E031 


14 00 00 20 Ед BA АЗ 36 14 Ед 69 69 7E 4D FA В 
71 В9 72 57 73 F8 FE ТА 32 6A 66 2D ОҒ 52 30 9B 


Record payload protection: 


server_record_write_key 


00000: 56 ЕЕ ТВ 3572: 
00010: DF 62 C6 ТЕ E7 
зедпит: 
00000: 00 00 00 00 00 
попсе: 
00000: 69 69 ЕҒ АА А4 


additional_data: 
00000: 


Smyshlyaev, et al. 


TLSTREE(server. write key hs, 3): 
72 49 C9 DC DF 35 13 78 7E DB 93 
B1 26 C5 OF 26 СЮ AA AF AE 00 E1 


00 00 00 00 00 00 00 00 00 00 03 


52 52 81 EE ВВ EB 4C BD 0B 64 Өр 


17 03 03 00 35 
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TLSInnerPlaintext: 

00000: 14 да 00 20 EO ВА АЗ 36 14 Ед 69 69 7E 4D ҒА ВО 
00010: 71 В9 72 57 73 Е8 ЕЕ ЛА 32 6А 66 2р ӨЕ 52 30 ОВ 
00020: 45 В6 Ед 31 16 


Record layer message: 


type: 17 

legacy_record_version: 0303 

length: 0035 

encrypted_record: 57B1706C4918F67EACCA457F7D5B537C 


CE5036B4004C778022B97EE802320398 
119404506680ADD7D6A6CD7C8153B755 
3C6E646AD6 


TLSCiphertext: 
00000: 17 03 03 00 35 57 B1 70 6C 49 18 F6 7E AC CA 45 
00010: ТЕ 7D 5B 53 7C CE 50 36 ВА 00 АС 77 80 22 B9 7E 
00020: E8 02 32 03 98 11 94 04 50 66 80 AD D7 D6 A6 CD 
00030: 7C 81 53 B7 55 3C 6E 64 6A D6 


Application Data: 
HELO gost.example.com\r\n 


Record payload protection: 


Derived #1 = Derive-Secret(HandshakeSecret, "derived", "") = 
HKDF-Expand-Label(HandshakeSecret, "derived", "", 32): 
00000: EA 3C 54 ВВ D1 4E F9 D7 50 77 6F AB ЕЗ 95 ВЕ 2A 
00010: BD DB BB B7 1C 13 C2 BD 60 ОЕ 35 15 79 4A FA 02 


MainSecret = HKDF-Extract(Salt: Derived #1, ТКМ: 0^256): 
00000: 31 BB 1D 61 2C CD 53 32 68 8A 55 1A 48 CA 25 0F 
00010: 24 78 3D ДА BO ВА A7 6D ЗЕ E5 06 7А 26 16 А4 АЗ 


HM2 - (ClientHello, ServerHello, EncryptedExtensions, Certificate, 
CertificateVerify, Server Finished) 


TH2 = Transcript-Hash(HM2) : 
00000: 9Е ВС 5F BE 32 D9 РА @D 48 Е8 ЕЕ СЕ ВВ 62 31 А5 
00010: 33 C2 C@ EF 24 32 77 В9 6D 6F 7A D3 ВВ FD 14 94 


server_application_traffic_secret (SATS): 

SATS = Derive-Secret(MainSecret, "5 ap traffic", НМ2) = 
HKDF-Expand-Label(MainSecret, "5 ap traffic", TH2, 32): 
00000: 87 73 АЕ 4B 4С FD 17 В9 7B 83 4D 82 2р 9D 73 79 
00010: F6 F5 Ед ЗВ 80 B5 2А ЕВ 2A ҒҒ 51 ӨЕ DD 83 DB D2 


server write key.ap = HKDF-Expand-Label(SATS, "key", "", 32): 
00000: 47 БЕ 4C 51 4C C6 31 8С ЗА БЕ 00 OF 12 65 BD ТА 
00010: B5 F0 DE 1A ЕЗ 57 ED 00 79 ЕС БР F0 AF BD 03 0C 


server write iv.ap - HKDF-Expand-Label(SATS, "iv", "", 16): 


00000: AF E9 1F 71 18 35 40 26 31 7E ТА ВА D8 22 17 B8 


server record write key = TLSTREE(server. write key ар, 0): 
00000: СВ FC 93 D7 C5 86 F2 BO АЗ 10 1B AA бА 97 9E ДЕ 
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00010: 38 86 70 65 51 ЕВ 11 87 Е9 78 80 40 9C 7E 8E E9 


seqnum: 
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


попсе: 
00000: 2F Е9 1F 71 18 35 40 26 31 7E ЛА ВА D8 22 17 B8 


additional_data: 
00000: 17 03 03 00 28 


TLSInnerPlaintext: 
00000: 48 45 4С 4F 20 67 6F 73 74 2Е 65 78 61 6D 70 6C 
00010: 65 2Е 63 6F 6D 0D 0A 17 


Record layer message: 


type: 17 

legacy_record_version: 0303 

length: 0028 

encrypted_record: ABB8C372C79681DCE5C3C909DD039D59 
8161FD3E6CE5D6F9CA571 5BD6B5C1824 
7FB26AC1AB396A4E 

TLSCiphertext: 


00000: 17 03 03 00 28 АВ В8 СЗ 72 C7 96 81 ОС Е5 СЗ С9 
00010: 09 DD 03 9D 59 81 61 FD ЗЕ 6С Е5 06 Ғ9 СА 57 15 
00020: BD 6B 5C 18 24 7F B2 6A C1 АВ 39 6A 4E 


client. finished key - HKDF-Expand-Label(CHTS, "finished", "", 32): 
00000: 2F 21 54 8C F5 27 78 69 AE 49 OD E7 BC 15 AC E6 
00010: 39 F6 57 E3 58 2A 5A 63 4B 0A 91 56 95 D5 4C 42 


HM2 - (ClientHello, ServerHello, EncryptedExtensions, Certificate, 
CertificateVerify, Server Finished) 


TH2 = Transcript-Hash(HM2): 
00000: 9E BC 5Е BE 32 D9 F4 0D 48 F8 EE СЕ ВВ 62 31 A5 
00010: 33 C2 СО EF 24 32 77 B9 6D 6F 7A 03 BB FD 14 94 


FinishedHash - 

HMAC(client. finished. key, TH2): 

00000: 08 5F C7 FD 79 B6 D1 11 CD 8D ЗЕ F6 B2 3A 06 5A 
00010: 7A F7 A6 38 73 42 А5 ЕЗ 57 68 14 CD 00 47 19 D2 


Finished message: 


msg. type: 14 
length: 000020 
body: 
verify. data: 085FC7FD79B6D111CD8D3FF6B23A065A 


7AF7A638734245F3576814CD004719D2 
00000: 14 00 00 20 08 5F C7 FD 79 B6 D1 11 CD 8D ЗЕ F6 
00010: B2 3A 06 5A 7A F7 A6 38 73 42 A5 F3 57 68 14 CD 
00020: 00 47 19 D2 


Record payload protection: 
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EarlySecret = HKDF-Extract(Salt: 04256, IKM: 0^256): 
80008: FB DE FB E5 27 FE EA 66 5A AB 92 77 A2 16 3B 83 
99010: 43 08 4F D1 91 C4 60 66 26 OF АС 6F D1 43 6С 72 


Derived #0 = Derive-Secret(EarlySecret, "derived", "") = 
HKDF-Expand-Label(EarlySecret, "derived", "", 32): 

00000: DB C3 C8 26 D8 77 АЗ В7 D2 D2 45 3D BF DC 6С FB 
00018: FB 11 51 ВЗ ЕВ ЖЕ 0C 8F 26 01 1D 8D 5B ЕЗ ED F7 


HandshakeSecret = HKDF-Extract(Salt: Derived #0, ТКМ: ECDHE): 
00000: 44 24 БЕ 2C 43 32 D1 F7 8B ОҒ 8D 16 РА ӨЗ EB 69 
00010: ED 2A 40 53 84 7C DC 39 FA 8B 3D 29 74 F7 45 E7 


НМ1 = (ClientHello, ServerHello) 


THI = Transcript-Hash(HM1) : 
00000: 99 3B А7 22 12 4A ЕЗ СВ FD 47 71 E7 ҒА ЕЗ 2A C1 
00010: 00 Е9 27 8C F7 84 ЗЕ CB Сб 20 ЕТ Ад 08 5A 87 A1 


client_handshake_traffic_secret (CHTS): 
CHTS = Derive-Secret(HandshakeSecret, "с hs traffic", HM1) = 
HKDF-Expand-Label(HandshakeSecret, "c hs traffic", TH1, 32): 
00000: B3 F7 11 3D 35 26 55 4F E6 55 Е5 6F АВ 79 B1 А0 
00010: Зр ЕЗ 35 96 ЕЗ 30 88 C7 78 37 19 А9 АА В DC СО 


client_write_key_hs = HKDF-Expand-Label(CHTS, "key", "", 32): 
00000: 58: 16:88:07 6Е БЕ 12328785 5Е 62 ВЗ ВЕ ЕЮ 1В СС 
00010: 8С 88 DB 83 E9 EA 4D 55 D3 89 8С 53 72 1F C3 84 


client_write_iv_hs = HKDF-Expand-Label(CHTS, "ім", "", 16): 
00008: 43 9A 07 45 3D ӨВ EA ӨС 1D 1B ЕВ 73 8E B5 В8 DD 


client_record_write_key = TLSTREE(client_write_key_hs, @): 
80008: ЕТ C5 9B 41 69 08 96 10 7F 78 45 68 93 АЗ 75 ЛЕ 
00010: 15 73 54 3D AD 8C В7 40 69 E6 81 4A 51 ЗВ ВВ 1С 


зедпит: 
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


попсе: 
00000: 43 9A 07 45 30 0B EA ӨС 10 1B EB 73 8E B5 B8 DD 


additional. data: 
00000: 17 03 03 00 35 


TLSInnerPlaintext: 

00000: 14 00 00 20 08 5F C7 FD 79 B6 D1 11 CD 8D 3F F6 
00010: B2 ЗА 06 БА 7А F7 Аб 38 73 42 А5 ЕЗ 57 68 14 CD 
00020: 00 47 19 D2 16 


Record layer message: 


type: 17 

legacy_record_version: 0303 

length: 0035 

encrypted_record: C9C65EAAB4A80E04849A122EB0CC26A9 


CA6B5DD4DB7AD6813949F629FC09E052 
2FF7ACDBBA93926C20008B8CCE865422 
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7B31D439F 8 


TLSCiphertext: 
00000: 17 03 03 00 35 C9 Сб БЕ AA ВА АВ ӨЕ 04 84 9A 12 
00010: 2Е BO СС 26 А9 CA 6B 5D D4 DB 7A D6 81 39 49 F6 
00020: 29 ЕС 09 EO 52 2Е F7 АС DB BA 93 92 6C 20 00 8B 
00030: 8C СЕ 86 54 22 7B 31 D4 39 F8 


Ol Ns ы = SebVel с сс =т= E 
NewSessionTicket message: 
msg_type: 04 
length: 800035 
роду: 
ticket_lifetime: 00093A80 
ticket age add: 86868686 
ticket nonce: 
length: 08 
vector: 0000000000000000 
ticket: 
length: 0020 
vector: 88888888888888888888888888888888 
88888888888888888888888888888888 
extensions: 
length: 8000 
vector: == 


00000: 04 00 00 35 00 09 ЗА 80 86 86 86 86 08 00 00 00 
00010: 00 00 00 00 00 00 20 88 88 88 88 88 88 88 88 88 
00020: 88 88 88 88 88 88 88 88 88 88 88 88 88 88 88 88 
00030: 88 88 88 88 88 88 88 00 00 


Record payload protection: 


server_record_write_key = TLSTREE(server_write_key_ap, 1): 
00000: C8 FC 93 D7 C5 86 F2 BO АЗ 10 1B AA 6A 97 9E 4E 
00010: 38 86 70 65 51 ЕВ 11 87 Е9 78 80 40 9С 7E ЗЕ E9 


seqnum: 
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 


nonce: 
00000: 2F E9 1F 71 18 35 40 26 31 7E ТА ВА D8 22 17 B9 


additional. data: 
00000: 17 03 03 00 4A 


TLSInnerPlaintext: 

00000: 04 00 00 35 00 09 3A 80 86 86 86 86 08 00 00 00 
00010: 00 00 00 00 00 00 20 88 88 88 88 88 88 88 88 88 
00020: 88 88 88 88 88 88 88 88 88 88 88 88 88 88 88 88 
00030: 88 88 88 88 88 88 88 00 00 16 


Record layer message: 


type: 17 

legacy. record. version: 0303 

length: 004A 

encrypted. record: CA6688A5DC22208DC8A8DE7E597292E3 
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TLSCiphertext: 


00000: 17 03 03 ӨӨ 4A СА 66 88 А5 DC 22 20 8D C8 AB РЕ 
00010: ТЕ 59 72 92 ЕЗ СВ 5D 45 49 45 В8 F0 6C 7C 50 F1 
00020: 82 3D 7B 6B BO 02 11 78 АЕ ЗА DB 2D ЕЗ 99 45 39 
00030: Ер 69 69 45 СЕ АА 69 19 ЕЗ F1 29 4C D4 ЛЕ D2 А8 


СО$Т Сірһег Suites for ТІ,5 1.3 


СВ50454945В8Ғ06С7С50ҒЕ182307В6ВВ0 
021178AE3ADB2DE3994539FD696945CF 
AA6919F3F1294CD41ED2A8bEA75302869 
ACB994F3920B09D67186 


00040: EA 75 30 28 69 AC B9 94 F3 92 OB 09 06 71 86 


Application data: 
00000000: 
[25] 
000003Ғ0: 

Рад: 15360 bytes 


Record payload protection: 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


server. record write key = TLSTREE(server_write_key_ap, 2): 


00000: 
00010: 


seqnum: 
00000: 


nonce: 
00000: 


additional. data: 


00000: 17 03 03 40 11 
TLSInnerPlaintext: 
00000000: ӨӨ 00 00 00 
[ЖАЛ 

000003F0: 00 00 00 00 
00000400: 17 00 00 00 
00000410: өв 00 00 00 


00004000: 00 


Record layer message: 
type: 


legacy. record. version: 


length: 
encrypted. record: 


Smyshlyaev, et al. 


38 86 70 65 51 


00 00 00 00 00 


C8 FC 93 D7 C5 86 F2 B0 A3 10 1B AA 6A 97 9E 4E 
E8 11 87 E9 78 80 40 9C 7E 8E E9 


00 00 00 00 00 00 00 00 00 00 02 


2Е E9 ТЕ 71 18 35 40 26 31 7E ТА ВА D8 22 17 BA 


00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 


1174 

0303 

4011 
9B3AD6939F05A403EEB1A636E13989D9 
1CCA6A45BE5B7CB5C980020627A1B2AD 
34ACAB5AAE5BD445C91C28325E4C7149 
188D55EF27016D80AF440704820BCE22 
CE501EA619A4FF7CD9F722A28391CE8B 
B86BF87D5A85555BEF59A9C9A1572F38 
114E64FD04A0DB2E1787A585EA51DCAB 
B95DAFB73DOBS3FES3F0702C5E1AA01571 
17D884783E5E6113F6CA8352F6CF49F9 
DB3B3DAB380BFD7BE04BOA |... | 
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64E7027D926E0F95AB7F133B5921F996 
A81EB67B78449DD32F4511E013206524 
ADAAFACF0B1C1622282CB20A965E670C 
C9A17E13F343AF3825AFD58B06915BDC 
9E49477F02830694F5AC7CC99C887F62 
CDAAEF0053766FB12BC9A082C157C347 
21C5400C376088A660EE4329ED645D7C 
07D4DA1ABDF6F9A1B9D51BF3E09CFCC1 
A59CD96F07FC9ACF004EA1B20E6BBDAD 
7BBF@C9E2A1B 


TLSCiphertext: 
00000000: 17 03 03 40 11 9B ЗА D6 93 ОҒ 05 А4 ӨЗ EE В1 А6 
00000010: 36 E1 39 89 09 1C CA 6A 45 BE 5B 7C B5 C9 80 02 
00000020: 06 27 A1 B2 AD 34 AC 4B 5A AE 5B D4 45 C9 1C 28 
00000030: 32 5E 4C 71 49 18 8D 55 EF 27 01 6D 80 AF 44 07 
00000040: 04 82 0B CE 22 CE 50 1E A6 19 A4 FF 7C D9 F7 22 
00000050: A2 83 91 CE 8B B8 6B F8 7D 5A 85 55 5B EF 59 A9 
00000060: C9 A1 57 2F 38 11 4E 64 FD 04 А0 DB 2E 17 87 А5 
00000070: 85 EA 51 DC AB B9 5D AF B7 3D 0B ЗЕ ЕЗ F0 70 2C 
00000080: 5E 1A A0 15 71 17 D8 84 78 3E 5E 61 13 F6 CA 83 
00000090: 52 F6 CF 49 F9 DB ЗВ 3D AB 38 0B FD 7B Ед АВ 0A 


ees] 

00003F80: 64 E7 02 7D 92 6E OF 95 AB 7F 13 3B 59 21 F9 96 
00003F90: АВ ТЕ B6 7B 78 44 9D 03 2F 45 11 EO 13 20 65 24 
00003FA0: AD ДА FA CF ӨВ 1C 16 22 28 2C B2 ВА 96 БЕ 67 0C 
00003FB0: C9 A1 7E 13 F3 43 AF 38 25 AF D5 8B 06 91 5B DC 
00003FC0: 9E 49 47 7F 02 83 06 94 F5 AC 7С СО 9C 88 7Е 62 
00003Ғр0: CD AA EF 00 53 76 6F B1 2B C9 А0 82 C1 57 СЗ 47 
00003FE0: 21 C5 40 0C 37 60 88 A6 60 EE 43 29 ED 64 5D 7C 
00003FF0: 07 04 DA ТА BD F6 F9 АТ B9 D5 ТВ F3 Ед 9C FC C1 
00004000: A5 9C D9 6F 07 FC 9A CF 00 4E A1 B2 OE 6B BD AD 
00004010: 7B BF 0C 9E 2A 1B 


Application data: 
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


ЕСІ 
000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Рад: 15360 bytes 


Record payload protection: 
server_record_write_key = TLSTREE(server_write_key_ap, 3): 
00000: C8 FC 93 D7 C5 86 F2 BO АЗ 10 1B AA 6A 97 9E 4E 
00010: 38 86 70 65 51 ЕВ 11 87 Е9 78 80 40 9С 7E ЗЕ E9 


seqnum: 
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 


nonce: 
00000: 2Е E9 ТЕ 71 18 35 40 26 31 7E ТА ВА 08 22 17 BB 


additional. data: 
00000: 17 03 03 40 11 


TLSInnerPlaintext: 
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00000000: 
ЕСІ 

000003Ғ0: 
00000400: 
00000410: 


00004000: 


00 00 00 
00 00 00 
17 00 00 
00 00 00 


00 


Record layer message: 


type: 


legacy_record_version: 


length: 


encrypted_record: 


TLSCiphertext: 


00000000: 
00000010: 
00000020: 
00000030: 
00000040: 
00000050: 
00000060: 
00000070: 
00000080: 
00000090: 


00003Ғ80: 
00003Ғ90: 
00003FA0: 
00003FB0: 
00003FC0: 
00003Ғр0: 
00003FE0: 
00003FF0: 
00004000: 
00004010: 


Smyshlyaev, et al. 


00 


00 
00 
00 
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00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 


Uz 

0303 

4011 
F06C5032F8A7AD58CED14D5383ED969E 
628DEAF35CF9B6FCF5047D9B02261F56 
F724DE961F8FF9C27AE76FBAC0A18E96 
AA30CA7D8bEBAD5B5135A0962515CCAF2 
A16EBAB9A08886EDAEFD9DFAEC158F94 
EFB0F90725C9114D9D8D904A18ABF 184 
E74B07150B2F2F27CB8032064943C957 
11E480EAFAFCE8E9F020D5C90489E734 
AEA10D91C7097AEC8CD6DSES3EEC764B0 
CD447FC07735F0F8D9D490 [...] 
3A79E7B3BCFD2B2478092911073A7CC9 
6AC626C30DD0A5612DBBFF26E35AFO0BB 
5CEC24EED391100533FB999D4873ED5D 
5E4693C5EEDCS3ECCSC6EFF041B0A7F42 
25A1092F4AADD9A508C7A56CB13AS3F33 
E844E28C8ADCD45250FA4EE29834C5CAA 
C50B5EBF94501785664E78AE9B5FDBFA 
DF730DED97985D659135F5DABAD883FF 
AC6046A0F629881F76147646D8E2A867 
3B14295621F7 


11 Ед 6C 50 32 F8 A7 AD 58 CE D1 


9E 62 8D Е4 ҒЗ 5C F9 B6 FC F5 04 


56 F7 24 DE 96 1F 8F F9 C2 7A E7 


96 AA 30 CA 7D 8E BA D5 B5 13 5A 
F2 АТ 6E BA B9 А0 88 86 ED ДЕ FD 
94 EF B0 F9 07 25 C9 11 4D 9D 8D 


84 E7 4B 07 15 0B 2F 2F 27 CB 80 
57 11 EA 80 Е4 F4 FC ЕВ E9 Ед 20 
34 AE A1 OD 91 C7 09 7A EC 8C D6 


BO CD 44 7F CO 77 35 F0 F8 09 D4 


BC FD 2B 24 78 09 29 11 07 3A 7C 
90 00 A5 61 2D BB FF 26 ЕЗ БА F0 


D3 91 10 05 33 FB 99 9D 48 73 ED 


EE DC ЗЕ CC ЗС 6E FF 04 1B дА 7F 
ДА AD D9 A5 08 C7 A5 6C B1 ЗА ЗЕ 
8A DC D4 52 50 F4 EE 29 ӨЗ 4C 5C 


94 50 17 85 66 4E 78 AE 9B 5F DB 


97 98 5D 65 91 35 F5 DA BA D8 83 
F6 29 88 1F 76 14 76 46 D8 E2 A8 
21 F7 
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Application data: 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


00000000: 


(ЕСЕЛІ 
000003Ғ0: 
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00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Рад: 15360 bytes 


Record payload protection: 


server_record_write_key 
D3 CD 87 D5 68 
58 98 B7 39 A3 


00000: 
00010: 


seqnum: 
00000: 


попсе: 
00000: 


additional_data: 


00000: 17 ӨЗ 03 40 11 
TLSInnerPlaintext: 
00000000: 00 00 00 00 
0000030: 00 00 00 00 
00000400: 17 00 00 00 
00000410: 00 00 00 00 
[cs 

00004000: 00 


Record layer message: 


type: 


legacy. record. version: 


length: 


encrypted. record: 


TLSCiphertext: 


00000000: 


Smyshlyaev, et al. 


17 03 03 40 11 E3 DF 00 F1 69 A7 6F АТ 9F Е5 5F 


00 00 00 00 00 


ФЕЗЕОФТЕСТЛІРЛІВ 


= TLSTREE(server_write_key_ap, 8): 


74 07 82 39 78 34 АС 06 В9 28 А8 
1D Зр E5 FF 2B 78 8E ҒЗ 91 96 ED 


00 00 00 00 00 00 00 00 00 00 08 


35 40 26 31 7E 1A B4 08 22 17 ВО 


00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 


17 

0303 

4011 
ES3DF00F169A76FA19FES55FA304E0A552 
5A28FDBD3DDACA654B89140EFD69E263 
28A65A77F5D8B2E2F73568F7A677E5DF 
8D225FAAS8EDSFED98F09963FF1E82161 
81595E9FA6989CCABC2150CA668D70EA 
8CB6F62BCC528D26B52FB27AB70F 194A 
30E5C9085D9323D38745093070D15650 
52468045F3398DC5BF93D6A983956E1D 
3077337B773DAF4B9A6BA5BC569A251D 
34FE23DF7B9343A0550094 [...] 
2B516EE4A4971FD26EFB9293981435E9 
FCC560B618B8bED0A52589E7342C25325 
11C3D7C145559B8119BC02CB22CBF 1EB 
915578Е8468806В200728С591В617354 
СС47051ҒҒ2363197Л559018403498846 
А0167008868012ЕЕ52179045АВЕЙ6С28 
97B0C1D8AAD49413E0CCC086586D537A 
296F9CEEB7E7E1DD2537540232C6BD71 
619FC93BAESFD8B0C95EA9915B6127B9 
9F87884541F7 
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00000010: 
00000020: 
00000030: 
00000040: 
00000050: 
00000060: 
00000070: 
00000080: 
00000090: 


00003Ғ80: 
00003Ғ90: 
00003FA0: 
00003FB0: 
00003FC0: 
00003FD0: 
00003FE0: 
00003FF0: 
00004000: 
00004010: 


Application data: 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


00000000: 


Jess 
000003F0: 


GOST Cipher Suites for TLS 1.3 


52 5A 28 FD BD 3D D4 CA 65 4B 89 14 
63 28 A6 5A 77 F5 D8 B2 E2 F7 35 68 
DF 8D 22 5F AA 8E D5 FE D9 8F 09 96 
61 81 59 5E 9F A6 98 9C CA BC 21 50 
EA 8C B6 F6 2B CC 52 8D 26 B5 2F B2 
ДА 30 Е5 СО 08 5D 93 23 03 87 45 09 
50 52 46 80 45 F3 39 8D C5 BF 93 D6 
1D 30 77 33 7B 77 3D AF 4B 9A 6B A5 
1D 34 FE 23 DF 7B 93 43 АӨ 55 00 94 


A4 97 1F D2 6E FB 92 93 98 14 35 E9 
18 B8 ED ВА 52 58 ЧЕ 73 42 C2 53 25 
45 55 9B 81 19 BC 02 CB 22 CB F1 EB 
46 88 06 B2 DO 72 8C 59 1B 61 73 54 
F2 36 31 97 A5 59 01 8A D3 49 88 46 
86 BD 12 EF 52 17 9D 45 АВ Ед 6C 28 
AA D4 94 13 EO CC CO 86 58 6D 53 7A 
B7 E7 ЕТ DD 25 37 54 02 32 C6 BD 71 
АЕ ЗЕ D8 BO C9 БЕ A9 91 5B 61 27 B9 
41 F7 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Pad: 15360 bytes 


Record payload protection: 


server record write key 


00000: 
00010: 


seqnum: 
00000: 


nonce: 
00000: 


additional. data: 


00 00 00 00 00 


00000: 17 03 03 40 11 
TLSInnerPlaintext: 
00000000: 00 00 00 00 
(ЕСУ) 

000003F0: 00 00 00 00 
00000400: 17 00 00 00 
00000410: 080 00 00 00 
leen] 

00004000: 00 


Record layer message: 


type: 


legacy. record. version: 


length: 


encrypted. record: 


Smyshlyaev, et al. 


з TLSTREE(server. write key. ар, 9): 


D3 CD 87 D5 68 74 07 82 39 78 34 4C 06 B9 28 A8 
58 98 B7 39 A3 


1D 3D ES FF 2B 78 8Е F3 91 96 ED 


00 00 00 00 00 00 00 00 00 00 09 


2F E9 1F 71 18 35 40 26 31 7E ТА ВА D8 22 17 B1 


00 00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 


Ug 

0303 

4011 
4AFCD1257E2C8D4626BCOBFBB30F2F9C 
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A57A9DODEC090B4248CAADDFE7AAA4AEB 
770F285384FEA308CADE2EEF318148C2 
BED487@ABEE1955CCA41CE8344C3EDA4 
7C2512CDD19FD54C7E0260BBC7BD8DD1 
EE9DA4EBADD3D7915D0A029D7847CA05D 
078068CC8A792FED69A4E655A6E6D22D 
A134ECA2BDECA1E59D3AE7313E45E785 
AF89A8F1890BFCC59F03F39C4FB2337C 
326D94FA04F5548619D6DC [...] 
79B6F56B6EBF8B8860436EFF9D8F03CC 
73BDF446D30F918AF8FF8BA2D078D243 
1AC04657D7871203F15969F160820D7D 
FCA78F65FF954CE5549F2C78AA3A0885 
04527FC561B6AE06020A8772B75CE933 
6CAC35B536A50DB26930BFA21E9EB56E 
A20E39CC2BBBA66D41C2E8720AA0143D 
298D8036D7B0090A0214F58C5B18904A7 
5B4783820395E39421F4357A49597EBO 
6412381 8EACE 


TLSCiphertext: 
00000000: 17 03 ӨЗ 40 11 4A ЕС D1 25 7Е 2С 8D 46 26 BC 0В 
00000010: ЕВ ВЗ ӨЕ 2F 9C А5 7A 90 0D ЕС 09 ОВ 42 48 СА AD 
00000020: DF E7 АА 4A ЕВ 77 ОҒ 28 53 84 ЕЕ АЗ 08 СА DE 2E 
00000030: EF 31 81 48 C2 BE D4 87 0A ВЕ ЕТ 95 5C CA 41 СЕ 
00000040: 83 44 C3 Ер А4 7С 25 12 CD D1 9F D5 4С 7Е 02 60 
00000050: BB C7 BD 80 D1 ЕЕ 9D ДЕ ВА DD 3D 79 15 D@ А0 29 
00000060: D7 84 7С А0 5D 07 80 68 СС ЗА 79 2F ED 69 А4 E6 
00000070: 55 А6 Е6 D2 2D А1 34 ЕС А2 BD ЕС А1 Е5 9D ЗА Е7 
00000080: 31 ЗЕ 45 E7 85 AF 89 АВ F1 89 ОВ ЕС C5 ОҒ ӨЗ ЕЗ 
00000090: 9С 4F В2 33 7С 32 6D 94 ҒА 04 F5 54 86 19 D6 DC 
[ЙЫ 
00003Ғ80: 79 B6 F5 6В 6E ВЕ 8B 88 60 43 6E FF 9D ВЕ 03 СС 
00003Ғ90: 73 BD F4 46 D3 ӨР 91 8А F8 FF 8В А2 080 78 D2 43 
00003ҒА0: ТА СО 46 57 07 87 12 03 F1 59 69 ЕТ 60 82 00 70 
00003FBO0: FC A7 8F 65 FF 95 4C E5 54 9F 2C 78 AA ЗА 08 85 
00003ЕС0: 04 52 7Е C5 61 В6 АЕ 06 02 BA 87 72 В7 5С Е9 33 
00003FDO: 6C AC 35 B5 36 A5 0D B2 69 30 BF A2 1E 9E B5 6E 
00003ҒЕ0: А2 ӨЕ 39 CC 2B ВВ А6 6D 41 С2 Е8 72 дА А0 14 3D 
00003FF0: 29 8D 80 36 D7 BO 09 0A 02 14 F5 8C 5B 18 90 A7 
00004000: 5B 47 83 82 03 95 ЕЗ 94 21 F4 35 7A 49 59 7E BO 
00004010: 64 12 38 18 EA CE 


Application data: 
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


[ees 
000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Pad: 15360 bytes 


Record payload protection: 
Derived #1 = Derive-Secret(HandshakeSecret, "derived", "") = 
HKDF-Expand-Label(HandshakeSecret, "derived", "", 32): 


00000: EA ЗС 54 ВВ D1 4E F9 D7 50 77 6Ғ АВ ЕЗ 95 ВЕ 2A 
00010: BD DB ВВ В7 1С 13 C2 BD 60 9Е 35 15 79 ДА ҒА 02 
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MainSecret = 
00000: 
00010: 


HKDF-Extract(Salt: Derived #1, IKM: 02256): 
31 BB 1D 61 2C CD 53 32 68 8A 55 1A 48 CA 25 OF 
24 78 3D 4A BO ВА A7 6D ЗЕ E5 06 7A 26 16 A4 АЗ 


HM2 = (ClientHello, ServerHello, EncryptedExtensions, Certificate, 
CertificateVerify, Server Finished) 


TH2 = Transcript-Hash(HM2) : 
00000: ЗЕ ВС 5F BE 32 09 РА 0D 48 F8 ЕЕ СЕ ВВ 62 31 А5 
00010: 33 C2 C@ EF 24 32 77 В9 6D 6F 7A D3 ВВ FD 14 94 


client_application_traffic_secret (CATS): 

CATS = Derive-Secret(MainSecret, "с ap traffic", HM2) = 
HKDF-Expand-Label(MainSecret, "с ap traffic", TH2, 32): 
00000: ВА CF 74 6B EC 31 17 6C BD 14 2C 75 80 6C 27 0A 
00010: 0A EF 6F C3 8Е 0D 8F DC B5 A8 85 25 36 ЗА DE 81 

client write key. ар = HKDF-Expand-Label(CATS, "key", "", 

00000: 7B Еб 4E 2C 12 78 7B 5B 8C 87 56 C4 3D 92 FA EF 

00010: 64 F1 5A 3A 3C 10 81 AD 34 BC A5 06 F0 32 24 15 


32): 


client write ім ар = HKDF-Expand-Label(CATS, "ім", , 16): 
00000: 31 09 57 EF 71 31 44 33 F5 76 CC 9B 00 AD 93 54 


client. record write key = TLSTREE(client write key. ар, 8): 


00000: р4 9A 57 15 49 E7 48 94 9F A2 4B 88 34 23 2C A8 
00010: 75 D3 7A 26 C4 BB 5C 62 A2 61 DA ВЗ 72 65 05 26 
seqnum: 
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
nonce: 
00000: 31 09 57 EF 71 31 44 33 F5 76 CC 9B 00 AD 93 54 


additional. data: 


00000: 17 03 03 40 11 
TLSInnerPlaintext: 
00000000: ӨӨ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000003F0: 00 00 00 да өө 00 00 өө өе 00 00 00 00 да өө өө 
00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000410: өв 00 өв 00 00 өв өв өв 00 00 00 00 00 00 00 00 
00004000: өө 

Record layer message: 

type: 17 

legacy. record. version: 0303 

length: 4011 


encrypted. record: 
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EA6CB652C7CBE6B50560D0364DC94D90 
2560DFE55D8B83C8AA919F5A1E5492E7 
4CA5156F 1 8BEC8EAB6971CAA2D2C1FF1 
46EASFEF5D62682601868FFCD2688F34 
83899C31F6BA87538682E7F895F653C0 
9BFE95ABFS3EEDF7EBB261CCC593DFCBO 
04F05119567148BB35F3C7B4F09713A6 
247A047EF29B05F7720E375A6E3264F4 
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7922bEAEBE3AA6D1E80832806D5F20E7C 
56662А7128819182959708 [...] 
6A45184907D9FF8D3FC0994A3C850DDBC 
2D0420EB66EA177FCDD78F16246E2076 
039C525604F79A007F472AC7A20A4574 
1B9D96E38bE565899D40A724B8A37FF68 
702BF9A645D04962BBC9C66A35FFD219 
A08A385FEACDDOA1FS3F080BECDFO01E45 
68C338FAD2C850DFEAA98A7F 1B95ECA1 
72BA7F7526E3BFF2EFF2395CE4561 867 
DC9DES8FD10F38BCA1E44B0207AFACCE8 
8155836330BC 


TLSCiphertext: 
00000000: 17 03 03 40 11 EA 6C B6 52 C7 CB Еб B5 05 60 DO 
00000010: 36 4D C9 4D 90 25 60 DF E5 5D 8B 83 C8 AA 91 9Е 
00000020: 5A 1E 54 92 E7 4C A5 15 6F 18 BE C8 EA B6 97 1C 
00000030: AA 2D 2C 1F F1 46 EA 5F EF 5D 62 68 26 01 86 8F 
00000040: FC D2 68 8F 34 83 89 9C 31 F6 BA 87 53 86 82 E7 
00000050: F8 95 F6 53 СӨ 9B FE 95 AB ҒЗ EE DF 7E BB 26 1C 
00000060: CC 59 3D FC ВО 04 Ед 51 19 56 71 48 ВВ 35 ЕЗ C7 
00000070: B4 Ед 97 13 А6 24 7A 04 7E F2 9B 05 F7 72 0E 37 
00000080: 5A 6E 32 64 F4 79 22 EA EB E3 AA 6D 1E 80 83 28 
00000090: 06 D5 F2 0E 7C 56 66 2A 71 28 B1 91 82 95 97 DB 


00003F80: 6A 51 84 90 70 9F F8 D3 FC 09 94 АЗ C8 50 DD BC 
00003F90: 2D 04 20 EB 66 EA 17 7F CD D7 8F 16 24 6E 20 76 
00003FA0: 03 9C 52 56 04 F7 9A 00 7Ғ 47 2A C7 А2 BA 45 74 
00003FB0: 1B 9D 96 ЕЗ 8E 56 58 99 D4 0A 72 4B 8A 37 FF 68 
00003FC0: 70 2B F9 A6 45 DO 49 62 ВВ C9 C6 6A 35 FF 02 19 
00003FD0: Ад ВА 38 БР EA CD 00 А1 ЕЗ F0 80 ВЕ CD Ед ЛЕ 45 
00003FE0: 68 C3 38 FA D2 C8 50 DF EA A9 8A 7F 1B 95 EC A1 
00003FF0: 72 ВА 7F 75 26 ЕЗ BF F2 EF F2 39 5C Е4 56 18 67 
00004000: DC 9D E8 FD 10 ЕЗ 8B CA ТЕ 44 BO 20 7A РА CC E8 
00004010: 81 55 83 63 30 BC 


Application data: 
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


(КМ 
000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Рад: 15360 bytes 


Record payload protection: 
server_record_write_key = TLSTREE(server_write_key_ap, 1): 
00000: D4 9А 57 15 49 Е7 48 94 9Е А2 4B 88 34 23 2С А8 
00010: 75 D3 7A 26 C4 ВВ 5С 62 А2 61 DA ВЗ 72 65 05 26 


зедпит: 
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 


попсе: 
00000: 31 09 57 EF 71 31 44 33 F5 76 СС 9В 00 AD 93 55 


additional_data: 
00000: 17 03 03 40 11 
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TLSInnerPlaintext: 
00000000: 00 00 00 
000003F0: 00 00 00 
00000400: 17 00 00 
00000410: 00 00 00 
00004000: 00 


Record layer message: 


type: 


legacy. record. version: 


length: 


encrypted. record: 


TLSCiphertext: 


00000000: 
00000010: 
00000020: 
00000030: 
00000040: 
00000050: 
00000060: 
00000070: 
00000080: 
00000090: 
esses] 

00003Ғ80: 
00003Ғ90: 
00003FA0: 
00003FB0: 
00003FC0: 
00003Ғр0: 
00003FE0: 
00003FF0: 
00004000: 
00004010: 


Smyshlyaev, et al. 


17 03 03 
D1 D6 84 
64 FD 5E 
49 B1 8B 
4B CD 27 
C1 68 5F 
F9 CA D7 
DA F8 5C 
22 F9 A8 
6D 95 88 


55 A9 C5 
3E DC 6A 
ЗВУЕЗИМІЕ 
9D 08 F8 
A7 72 В9 
04 52 09 
31 ТЕ 41 
A4 61 91 
73 65 ВА 
18 64 84 


90 


00 
00 
00 


40 
А9 
96 
В0 
ЕЗ 
AD 
62 
9B 
се 
59 


А6 
А0 
87 
17 
A1 
5C 
F3 
65 
AD 
82 
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00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 


17 

0303 

4011 
0D486A03D03A020296EA0AD1D684A9F4 
AE35824129141D3434CEE064FD5E966F 
8806Е8903913417658Е46С49В18ВВ0СС 
B29B663D3F380A2CF9E5234BCD27F3A4 
E12bEBF3A3C69DB7661B08FC1685FADDE 
50F68028A6E85EE12729D6F9CAD762FF 
A6BABSFC94AC65BAA36885DAF85C9B27 
C68F9E97AB85ECFA760CDD22F9A8COBA 
6097D7960587CA708834516D9588592D 
D1B8bE05210BAA640FE6540 [...] 
55A9C5A6557D35B8F149804BFA0F2789 
S3EDC6AA0350E9630AFF6C9BO6CSCEO1D 
5BE51E87EBFFAC58230D074BE121F077 
9D08F8177AFFFBB36DCEFDD0D0696873 
A772B9A1DA73C681B0F8359EC1C74B6E 
0452095C622C4C797F450CAA4F26975A 
311F41F31C6A617747298CC052A6376F 
A46191658FEE5BD8D7A998bE7F 12E8838 
7365BAAD4BA490114733FC15A58148E6 
186484821A94 


11 0D 48 6A 03 DO 3A 02 02 96 EA 
РА AE 35 82 41 29 14 1D 34 34 CE 
6F 88 D6 E8 90 39 13 41 76 58 E4 
CC B2 9B 66 Зр ЗЕ 38 ВА 2C F9 Е5 
А4 ЕТ 2E BF ЗА ЗС 69 DB 76 61 ВО 
DE 50 F6 80 28 Аб E8 БЕ ЕТ 27 29 
FF A6 BA B5 FC 94 AC 65 BA A3 68 
27 C6 8F 9E 97 AB 85 EC FA 76 0C 
BA 60 97 D7 96 05 87 CA 70 88 34 
2D D1 B8 EO 52 10 BA A6 40 FE 65 


55 7D 35 B8 F1 A9 80 4B ҒА ОҒ 27 
35 ВЕ 96 30 AF F6 C9 ВО 6C ЗС Ед 
EB FF АС 58 23 Өр 07 ДВ ЕТ 21 F0 
7A FF FB ВЗ 6D CE FD 00 рө 69 68 
DA 73 C6 81 B0 F8 35 9E C1 C7 4B 
62 2C 4C 79 7F 45 0C AA 4F 26 97 
1C 6A 61 77 47 29 ВС СО 52 A6 37 
ВЕ EE 5B D8 D7 А9 98 E7 F1 2E 88 
АВ А4 90 11 47 33 FC 15 А5 81 48 
1A 94 


Informational 


00 


00 
00 
00 


0A 
EO 
6C 
23 
8F 
D6 
85 
DD 
51 
40 


89 
1D 
TE, 
73 
6E 
5А 
бЕ 
38 
E6 
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Application data: 
00000000: 
(5722) 
000003Ғ0: 

Рад: 15360 bytes 


СО$Т Сірһег Suites for ТІ,5 1.3 


Record payload protection: 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


client_record_write_key = TLSTREE(client_write_key_ap, 8): 


00000: B8 2D 78 25 D1 
00010: 
seqnum: 
00000: 00 00 00 00 00 
попсе: 
00000: 31 09 57/ ЕЕ 71 


additional_data: 


00808: 17 03 03 40 11 
TLSInnerPlaintext: 
00000000: 00 00 00 00 
рай 

000003F0: 00 00 00 00 
00000400: 17 00 00 00 
00000410: өв өв 00 00 


00004000: 00 


Record layer message: 
type: 


legacy. record. version: 


length: 
encrypted. record: 


TLSCiphertext: 


Smyshlyaev, et al. 


БЕ AE 18 А7 01 32 28 ВЗ 1C BO C5 
97 52 C6 40 9C БР 78 99 EC C6 95 OF 74 63 СӨ 90 


00 00 00 00 00 00 00 00 00 00 08 


31 44 33 F5 76 CC 9B 00 AD 93 5C 


00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 


U7 

0303 

4011 
F8B5732A300C8EF05FB712A2972F4DB8 
4BE783A959090398E989516B6A54F333 
331049283186BD1C42EFD98003A476A2 
408ЕАСЕ007047ҒВ536979386С26В5523 
F933A4F5BD7048B094EC5F5627EDFA98 
99DE1AF8D9A493E481BA5DA0857BE15A 
3F21CA01E22092159BAA770569CFBE54 
F653BEFB4A8B32295DEFE992258F 4581 
257Е936АҒ549Е82р54ЕА6С09ЕҒ0р987В 
F3A3E8453C1548CEF1C349 [...] 
OEF4E88899AA3481AEDAE0E257449F80 
A20CBDF070EC02211B6B9CBA9248B192 
CF75C88A085DBFF77ABCFB1D82DAA421 
1B487A48230358CBA4F33 8DD@BFD36D8 
ААСБЕЕ709456В7ЕЗ17С78Е7198ҒВ7264 
ЗВАБЕЕРОЗР9ЗВЕ1С8021Е9Е/4А2ЕРОВСС 
1CF5D367B553C7E7E9D80DD2447C7D13 
D0345FEF2976696DFE579E5F71740C71 
3124CFBAD66C7BB5BC21AAAE2F 1E0860 
5C248ADAF8BA 


Informational 


00 


00 
00 
00 


February 2023 


Page 46 


КЕС 9367 


00000000: 
00000010: 
00000020: 
00000030: 
00000040: 
00000050: 
00000060: 
00000070: 
00000080: 
00000090: 
[ЙО 

00003Ғ80: 
00003Ғ90: 
00003FA0: 
00003FB0: 
00003FC0: 
00003Ғр0: 
00003FE0: 
00003FF0: 
00004000: 
00004010: 


Application data: 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


00000000: 


[es] 
000003Ғ0: 


СО$Т Сірһег Suites for ТІ,5 1.3 


11 F8 B5 73 2A 30 0C 8Е FO 5F B7 12 
B8 4B E7 83 A9 59 09 03 98 E9 89 51 
33 33 10 49 28 31 86 BD 1C 42 EF D9 
A2 40 ВЕ АС ЕВ 07 04 7F B5 36 97 93 
23 F9 33 A4 F5 BD 70 48 BO 94 ЕС 5F 
98 99 DE ТА F8 D9 A4 93 Е4 81 BA 5D 
БА ЗР 21 CA 01 Е2 20 92 15 9B AA 77 
54 F6 53 BE FB 4A 8B 32 29 5D EF E9 
81 25 7E 93 6A F5 49 E8 2D 54 EA 6C 
7B F3 A3 E8 45 3C 15 48 CE F1 C3 49 


99 AA 34 81 AE DA Ед E2 57 44 ОҒ 80 
70 EC 02 21 1B 6B 9C BA 92 48 B1 92 
08 5D BF F7 7A BC FB 1D 82 DA A4 21 
23 03 50 CB АА ЕЗ 38 DD өв FD 36 рв 
94 56 B7 ЕЗ 17 C7 8E 71 98 FB 72 64 
3F 93 BF 1C 02 1F 9E 74 A2 ED 2B CC 
B5 53 C7 E7 Е9 08 00 D2 44 7C 7D 13 
29 76 69 6D ЕЕ 57 9E БЕ 71 74 ВС 71 
D6 6C 7B B5 BC 21 AA AE 2F 1E 08 60 
F8 BA 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Pad: 15360 bytes 


Record payload protection: 


client record write key 


00000: 
00010: 


seqnum: 
00000: 


nonce: 
00000: 


additional. data: 


B8 2D 78 25 D1 
97 52 C6 40 9C 


00 00 00 00 00 


31 09 57 EF 71 


00000: 17 03 03 40 11 
TLSInnerPlaintext: 
00000000: 00 00 00 00 
000003F0: 00 00 00 00 
00000400: 17 00 00 00 
00000410: да 00 өө 00 
Inge 

00004000: 00 


Record layer message: 


type: 


legacy_record_version: 


length: 


Smyshlyaev, et al. 


з TLSTREE(client write Кеу ар, 9): 
SF AE 18 A7 01 32 28 ВЗ 1C ВО C5 
БЕ 78 99 EC C6 95 ВЕ 74 63 CO 90 


00 00 00 00 00 00 00 00 00 00 09 


31 44 33 F5 76 CC 9B 00 AD 93 5D 


00 00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 


17 
0303 
4011 
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encrypted_record: 


TLSCiphertext: 
00000000: 
00000010: 
00000020: 
00000030: 
00000040: 
00000050: 
00000060: 
00000070: 
00000080: 
00000090: 
(ЕСЕН 

00003Ғ80: 

00003Ғ90: 
00003ҒА0: 
00003ЕВ0: 
00003ЕС0: 
00003FDO: 
00003ҒЕ0: 
00003FF0: 
00004000: 
00004010: 


Alert message: 
level: 
description: 


00000: 01 00 


GOST Cipher Suites for TLS 1.3 


C1719B62DA4F5E295AB8AA4A2CBDO6BBEF3 
0Ғ07297096004ЕВАВЕЗ15090247510А6 
ВЕЕ6395676956В4249В16В52СЕ9ҒЕ171 
B1F4693F48B3446D48A99B6224537FBB 
9BC8BF54AEA688D21E39F17840DB9F33 
632EA196922B7E15D6AE080F9F3B33F2 
FABE63BB66E21C590785EFAEBE75BBT1E 
17C9E5F58A1B1D1101DE95F9BF346C62 
1C63CABEB6D7245DB75F18DA495F129A 
652СЕ6В7ЕӨҒЕ47ЕВ21006А |...| 
2AF9D515B26C3D8F37F9BF5F3A766D8B 
03189A78605069179FB9CF9B1A449DCO 
A4F0FE37E67FDF9A0341B1F0D64AA2871 
DADFEF10EC7DFE7475CFE364BB4D9453 
A9F176829887148F3E8COEEE858F9C17 
C0B753C145D13BD2A96B23822F 73DC6C 
FD623DE3CB70F8D507E436C20E393940 
F3A36C913C0BCDFE672C903C5522AA41 
0B318DD1268D035C59DS3E11FF273B1D7 
715E2FBF3ACA 


11 C1 71 9B 62 D4 F5 Е2 95 AB 8A 


ЕЗ ӨЕ 07 29 7D 96 00 ДЕ ВА BE 31 
A6 BE E6 39 56 76 95 6B 42 49 B1 


71 B1 F4 69 3F 48 B3 44 6D 48 A9 
BB 9B C8 BF 54 AE A6 88 D2 1E 39 
33 63 2E А1 96 92 2B 7E 15 06 AE 
F2 FA BE 63 BB 66 E2 1C 59 07 85 
ТЕ 17 C9 E5 F5 ВА 1B 1D 11 01 DE 
62 1C 63 CA BE B6 D7 24 5D B7 5F 
9A 65 2C E6 B7 Ед FE 47 FB 21 00 


B2 6C 3D 8F 37 F9 BF 5F 3A 76 6D 
60 50 69 17 9F B9 CF 9B 1A 44 9D 
67 FD F9 А0 34 1B ТЕ 0D 64 AA 28 
EC 7D FE 74 75 CF ЕЗ 64 BB 4D 94 
98 87 14 ЗЕ ЗЕ 8C ВЕ EE 85 ВЕ 9C 
45 D1 3B D2 A9 6B 23 82 2F 73 DC 
CB 70 F8 D5 07 E4 36 C2 0E 39 39 
3C 0B CD FE 67 2C 90 3C 55 22 AA 


26 8D ӨЗ 5C 59 рз ЕТ ТЕ F2 73 ВІ 
3A CA 


Record payload protection: 


client record write key = TLSTREE(client write. key. ар, 10): 


00000: D3 CD 87 D5 68 74 07 82 39 78 34 4C 06 B9 28 A8 
00010: 58 98 B7 39 АЗ 1D 3D Е5 FF 2B 78 8E ҒЗ 91 96 ED 


seqnum: 
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88088: 00 00 00 00 00 


попсе: 
00000: ЖЕР ESTE SETS 


additional. data: 
00000: 17 03 03 00 13 


TLSInnerPlaintext: 
00000: 01 00 15 


Record layer message: 
type: 

legacy. record. version: 
length: 

encrypted. record: 


TLSCiphertext: 
00000: 17 03 03 00 13 
00010: D3 19 42 C6 A1 


Alert message: 
level: 
description: 


00000: 01 00 
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00 00 00 00 00 00 00 00 00 00 BA 


35 40 26 31 7E ТА ВА D8 22 17 B2 


17 

0303 

0013 
7CBC00AD5D29E301739394D31942C6A1 
6658E9 


7C BC 00 AD 5D 29 ЕЗ 01 73 93 94 
66 58 E9 


Record payload protection: 


client record write key 
00000: B8 2D 78 25 D1 
00010: 97 52 C6 40 9C 


seqnum: 
00000: 00 00 00 00 00 


nonce: 
00000: 31 09 57 EF 71 


additional. data: 
00000: 17 03 03 00 13 


TLSInnerPlaintext: 
00000: 01 00 15 


Record layer message: 
type: 

legacy. record. version: 
length: 

encrypted. record: 


TLSCiphertext: 
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з TLSTREE(client. write key. ap, 10): 
БЕ AE 18 A7 01 32 28 ВЗ 1C ВО C5 
БЕ 78 99 EC C6 95 ВЕ 74 63 CO 90 


00 00 00 00 00 00 00 00 00 00 BA 


31 44 33 F5 76 CC 9B 00 AD 93 5E 


ДЕЛ 

0303 

0013 
CB19F306C3641754BEAFC95390DF06F9 
CD44AA 
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00000: 17 93 03 00 13 СВ 19 ЕЗ 06 C3 64 17 54 ВЕ АР C9 
00010: 53 90 DF 06 Ғ9 CD 44 АА 


А.2. Ехатріе 2 


А.2.1. Test Саве 
Test examples are given for the following instance ої the TLS13_GOST profile: 


на 


. Full TLS Handshake is used. 


2. PSK with ECDHE key exchange mode is used. The elliptic curve GC256B is used for ECDHE 
shared secret calculation. 


C2 


. Authentication is used on the server and client sides. The external PSK is used for the mutual 
authentication. 


4. 115 GOSTR341112 256 WITH МАСМА МСМ І cipher suite is negotiated. 


5. Four Application Data records are sent during the operation of the Record protocol. The 
sequence numbers are selected to demonstrate the operation of the TLSTREE function. 


6. Alert protocol is used for closure of the connection. 


A.2.2. Test Examples 


ePSK: 
00000: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 
00000: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 


PSO reba Se aS sciens: (een eS Soe 
ClientHello1 message: 
msg_type: 01 
length: 00007B 
body: 
legacy. version: 0303 
random: 01010101010101010101010101010101 


01010101010101010101010101010101 
legacy. session. id: 


length: 90 
vector: == 
cipher_suites: 
length: 8002 
vector: 
CipherSuite: C104 
compression_methods: 
length: 81 
vector: 
CompressionMethod: 00 
extensions: 
length: 0050 
vector: 


Extension: /* supported_groups */ 
extension type: 000А 
extension. data: 
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length: 0006 
vector: 
named. group. list: 
length: 0004 
vector: 
/* GC256B */ 
0023 
/% GC512C */ 
0028 
Extension: /* supported_versions */ 
extension type: 0028 
extension. data: 
length: 0003 
vector: 
versions: 
length: 02 
vector: 
0304 
Extension: /* psk. key exchange.modes */ 
extension type:  002D 
extension. data: 
length: 0002 
vector: 
ke. modes: 
length: 01 
vector: 
/* psk_dhe_ke */ 
01 
Extension: /* key.share */ 
extension type: 0033 
extension. data: 
length: 0002 
client. shares: 
length: 0000 
vector: == 


Extension: /* pre_shared_key */ 


extension_type: 0029 
extension_data: 
length: 002Ғ 
vector: 
identities: 
length: 000A 
vector: 
identity: 
length: 0004 
vector: 6550534B 
obfuscated ticket. age: 00000000 
binders: 
length: 0021 
vector: 
binder: 
length: 20 
vector: 6F3A0B91F2945EF7056DB74302BC34B6 


Truncate(ClientHello1): 


DF77A88bE09C587508AB6287C6C0514AD 


0000: 01 00 00 7B 03 03 01 01 01 01 01 01 01 01 01 91 
0010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 
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0020: 01 01 01 01 01 01 00 00 02 C1 04 01 00 00 50 00 
0030: 0A 00 06 00 04 00 23 00 28 00 2B 00 03 02 03 04 
0040: 00 2D 00 02 01 01 00 зз 00 02 өө 00 00 29 00 2Е 
0050: 00 0A 00 04 65 50 53 4B 00 ӨӨ 00 00 


Hash(Truncate(ClientHello1)): 
0000: CC 9C A9 FC 18 DF 7A 2F 5F 63 27 D7 7B EA DC F1 
0010: А7 3D 80 97 7F EB EA ВА Ед D3 83 39 30 00 2B 8D 


EarlySecret = HKDF-Extract(Salt: @*Hlen, ТКМ: ePSK): 
00000: 42 30 7A 99 68 18 34 Өр DO 56 2F 7F EB Еб 2A B5 
00010: 78 F3 BC 88 9C A9 29 ЗА 89 0D F2 09 B9 1B BB F3 


binder key = Derive-Secret(EarlySecret, "ext binder", "") = 
HKDF-Expand-Label(EarlySecret, "ext binder", "", 32): 
00000: A4 37 62 СЗ БЕ 75 54 ТА 15 58 Ад 8D 15 50 03 29 
00010: | 4C СЗ F9 ӨС 73 99 ЕС СО 50 B9 15 37 A2 4C 05 E4 


finished binder. key = 

HKDF-Expand-Label(binder key, "finished", "", 32): 
00000: ЕБ 6Е759 62 ЈЕ2Е8 ЕУ С 6980 ЛЕВ 70 В4 С SB 
00010: ED 96 ЕВ 32 FC D7 АВ 95 AD 06 В1 СЕ ЕТ 73 E6 65 


binder = HMAC(finished_binder_key, ДИ Пан би 
00000: 6F ЗА ОВ 91 F2 94 БЕ F7 05 6D B7 43 02 BC 34 B6 
00010: ОР 77 А8 8Е 09 С5 87 50 8А В6 28 7С 6С ae 14 AD 


0000: 01 00 00 7В 03 03 01 01 01 01 01 01 01 01 01 01 
0010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 
0020: 01 01 01 01 01 01 00 00 02 С1 04 01 00 00 50 00 
0030: дА 00 06 00 04 00 23 00 28 00 2В 00 03 02 03 04 
0040: ВА 07 ӨВ 07 OC 07 Өр 07 ВЕ 07 ОҒ 00 2B 00 03 02 
0050: 00 2D 00 02 01 01 өө зз өө 02 өө өө 00 29 00 ОҒ 
0060: 00 0A 00 04 65 50 53 4B 00 00 00 00 00 21 20 6F 
0070: ЗА ОВ 91 Ғ2 94 БЕ Е7 05 6D В7 43 02 ВС 34 В6 DF 
0080: 77 А8 8Е 09 С5 87 50 8A В6 28 7С 6С 05 14 AD 


Record layer message: 


type: 16 

legacy_record_version: 0301 

length: 007F 

fragment: 0100007B030301010101010101010101 


01010101010101010101010101010101 
010101010101000002C1040100005000 
0A0006000400230028002B0003020304 
0A070B070C070D070E070F002B000302 
002D000201010033000200000029002F 
000A00046550534B000000000021206F 
3A0B91F2945EF7056DB74302BC34B6DF 
77A88bE09C587508AB6287C6C0514AD 


00000: 16 03 01 00 7F 01 00 00 7B 03 03 01 01 01 01 01 
00010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 
00020: 01 01 01 01 01 01 01 01 01 01 01 00 00 02 C1 04 
00030: 01 00 00 50 00 0A 00 06 00 04 00 23 00 28 00 2B 
00040: 00 03 02 03 04 BA 07 OB 07 OC 07 00 07 BE 07 ОҒ 
00050: 00 2B 00 03 02 00 2D 00 02 01 01 00 33 00 02 00 
00060: 00 00 29 00 2F 00 BA 00 04 65 50 53 4B 00 00 00 
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00070: 00 00 21 20 6F ЗА ОВ 91 F2 94 БЕ Е7 05 6D В7 43 
00080: 02 ВС 34 В6 DF 77 А8 8E 09 С5 87 50 8А В6 28 7С 
00090: 6С 05 14 Ар 


на a aa b ni aa al з шс си асы SN ON a иа 
HelloRetryRequest message: 
msg_type: 92 
length: 000034 
роду: 
legacy_version: 0303 
random: CF21AD74E59A6111BE1D8C021E65B891 


C2A211167ABB8C5E079E09E2C8A8339C 
legacy. session. id: 


length: 00 
vector: -- 
cipher_suite: 
CipherSuite: C104 


compression. method: 
CompressionMethod: 00 
extensions: 
length: 000С 
vector: 
Extension: /* supported_versions */ 
extension_type: 002В 
extension_data: 


length: 8002 

vector: 
selected_version: 
0304 


Extension: /* key_share */ 
extension_type: 0033 
extension_data: 

length: 8002 
selected_group: 0023 


00000: 02 00 00 34 03 03 CF 21 AD 74 Е5 9A 61 11 BE 10 
00010: 8С 02 ТЕ 65 В8 91 С2 А2 11 16 7А ВВ 8С БЕ 07 9Е 
00020: 09 Е2 СВ A8 33 ОС 00 C1 04 00 00 BC 00 2B 00 02 
00030: 03 04 00 33 00 02 00 23 


Record layer message: 


type: 16 

legacy_record_version: 0303 

length: 0038 

fragment: 020000340303CF21AD74E59A6111BE1D 


8C021E65B891C2A211167ABB8C5E079E 
09E2C8A8339C00C10400000C002B0002 
0304003300020023 


00000: 16 03 03 00 38 02 00 00 34 03 03 CF 21 AD 74 E5 
00010: 9A 61 11 BE 1D 8C 02 1E 65 B8 91 C2 A2 11 16 7A 
00020: BB 8C БЕ 07 9E 09 E2 C8 А8 33 9C 00 ст 04 00 00 
00030: OC 00 2B 00 02 03 04 00 33 00 02 00 23 
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ClientHello2 message: 
msg_type: 
length: 
body: 
legacy_version: 
random: 


legacy_session_id: 
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81 
0000BF 


0303 
01010101010101010101010101010101 
01010101010101010101010101010101 


length: 00 

vector: == 
cipher_suites: 

length: 8002 

vector: 

CipherSuite: C104 

compression_methods: 
length: 81 
vector: 

CompressionMethod: 00 

extensions: 
length: 0094 
vector: 

Extension: /* supported_groups */ 
extension_type: дЮдА 
extension_data: 

length: 0006 
vector: 
named. group. list: 
length: 0004 
vector: 
/* GC256B */ 
0023 
/% GC512C */ 
0028 

Extension: /* supported_versions */ 
extension type: 0028 
extension. data: 

length: 0003 
vector: 
versions: 
length: 02 
vector: 
0304 

Extension: /* psk. key exchange.modes */ 
extension type: 002D 
extension. data: 

length: 0002 
vector: 
ke. modes: 
length: 01 
vector: 


/* psk dhe ke */ 


01 


Extension: /* key.share */ 


extension. type: 
extension. data: 
length: 
client shares: 
length: 
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vector: 
group: 0023 
key_exchange: 
length: 0040 
vector: 


D35AA795C452450949591D60E7D5C076 
056D6646F3B80708CDC2E7034DE85F68 
D1122DC32A3B986D40FF910622A06C12 
26D9EC3A7D3A52E0A37C282C47602A43 


Extension: /* pre shared key */ 


extension type: 0029 
extension. data: 
length: 002Ғ 
vector: 
identities: 
length: 000A 
vector: 
identity: 
length: 0004 
vector: 6550534B 
obfuscated ticket. age: 00000000 
binders: 
length: 0021 
vector: 
binder: 
length: 20 
vector: @BF74AA3933B7D1A66961B6E2CFB6A28 


Truncate(ClientHello2) : 


0000: 
0010: 
0020: 
0030: 
0040: 
0050: 
0060: 
0070: 
0080: 
0090: 


finished_binder_ 


00000: 
00010: 


BinderMsg 


01 
01 
01 
дА 
90 
03 
85 
01 
26 
00 


00 
01 
01 
00 
20 
БА 
6р 
12 
D9 
29 


00 
01 
01 
96 
00 
А? 
66 
20 
ЕС 
00 


ВЕ 
01 
01 
00 
02 
95 
46 
СЗ 
ЗА 
2F 


key: 
F5 6F 59 C2 E2 F8 E7 7C 69 80 ТЕ B1 7D B4 C1 8B 
ED 96 EB 32 FC D7 AB 95 AD D6 B1 CF F1 73 E6 65 


03 
01 
01 
04 
01 
C4 
ЕЗ 
2А 
70 
00 


Truncate(ClientHello2) ) 


Hash(BinderMsg 
73 7С 63 74 1B ЗА EA DF C8 73 DF 6E EA 81 19 32 
BF СЕ 93 4F АА 85 84 ЕТ 44 F8 77 13 Ед DO CA 32 


04D696BB607710E3F56DDA91F56B57CB 


03 01 01 01 01 01 01 01 01 01 01 
01 01 01 01 01 01 91 01 01 01 01 
01 00 00 02 C1 04 01 00 00 94 00 
00 23 00 28 00 2B 00 03 02 03 04 
01 00 33 00 46 00 44 00 23 00 40 
52 45 09 49 59 1D 60 Е7 05 СВ 76 
B8 07 08 CD C2 E7 03 4D E8 5F 68 
ЗВ 98 6D 40 FF 91 06 22 А0 6C 12 
3A 52 EO A3 7C 28 2C 47 60 2A 43 
0A 00 04 65 50 53 4B 00 00 00 00 


(FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest, 


binder = HMAC(finished. binder. key, Hash(BinderMsg)) = 
ОВ F7 ДА АЗ 93 ЗВ 7D ЛА 66 96 1B 6E 2C FB бА 28 
04 D6 96 BB 60 77 10 ЕЗ F5 6D DA 91 F5 6B 57 CB 


0000: 01 00 00 BF 03 03 01 01 01 01 01 01 01 01 01 01 
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0010: 
0020: 
0030: 
0040: 
0050: 
0060: 
0070: 
0080: 
0090: 
00А0: 
00В0: 
00С0: 


01 
01 
0A 
00 
D3 
05 
D1 
26 
00 
00 
FB 
6B 


01 
01 
00 
20 
БА 
6р 
12 
D9 
29 
21 
6A 
57 


01 
01 
06 
00 
А7 
66 
2D 
EC 
90 
20 
28 
СВ 


01 
81 
00 
02 
95 
46 
СЗ 
ЗА 
2Е 
OB 
04 


01 
01 
04 
01 
C4 
F3 
2A 
7D 
00 
E7 
D6 


Record layer message: 


legacy_record_version: 


type: 
length: 
fragment: 
00000 16 
00010 01 
00020 01 
00030 01 
00040 00 
00050 44 
00060 60 
00070 03 
00080 06 
00090 2С 
000А0 4В 
00080 66 
000С0 Е5 
ServerHello 
msg_type: 
length: 
body: 


message: 


legacy_version: 
random: 


legacy_session_id: 
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01 
00 
23 
00 
45 
07 
98 
52 
00 
A3 
BB 


01 
02 
28 
00 
49 
CD 
40 
A3 
65 
3B 
3/7 


01 
C1 
00 
46 
59 
C7 
FF 
Zo 
50 
7D 
10 


01 
04 
2B 
00 
1D 
EZ 
91 
28 
53 
1A 
ЕЗ 


81 
81 
00 
44 
60 
03 
06 
2С 
4B 
66 
Е5 


01 
00 
03 
00 
Е7 
4р 
22 
47 
00 
96 
6D 


01 
00 
02 
23 
DS 
E8 
A@ 
60 
00 
1В 
ОА 


81 
94 
83 
00 
са 
SF 
6C 
2A 
00 
бЕ 
91 


01 
00 
04 
40 
76 
68 
12 
43 
00 
2С 
Е5 


010000ВЕ030301010101010101010101 
01010101010101010101010101010101 
010101010101000002C1040100009400 
0A0006000400230028002B0003020304 
002D0002010100330046004400230040 
D35AA795C452450949591D60E7D5C076 
056D6646F3B80708CDC2E7034DE85F68 
D1122DC32A3B986D40FF910622A06C12 
26D9EC3A7D3A52E0A37C282C47602A43 
0029002F000A00046550534B00000000 
0021200BF74A43933B7D1A66961B6E2C 
FB6A2804D696BB607710E3F56DDA91F5 


6B57CB 


01 
01 
01 
0A 
00 
D3 
05 
D1 
26 
00 
00 
ЕВ 
6В 


00 
01 
01 
00 
20 
БА 
6р 
12 
09 
29 
21 
6A 
57 


82 
00007С 


0303 


82828282828282828282828282828282 
82828282828282828282828282828282 


00 
01 
01 
96 
90 
А7 
66 
2D 
EC 
00 
20 
28 
CB 


BF 
81 
81 
00 
02 
95 
46 
СЗ 
ЗА 
2Е 
OB 
04 


03 
01 
01 
04 
01 
C4 
F3 
2A 
7D 
00 
ЕЙ 
06 


03 
д1 
д1 
00 
01 
52 
В8 
3B 
3A 
дА 
ДА 
96 


01 
01 
90 
23 
90 
45 
97 
98 
52 
00 
АЗ 
ВВ 
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01 
01 
00 
00 
33 
09 
08 
6D 
ЕӨ 
04 
93 
60 


01 
01 
02 
28 
00 
49 
CD 
40 
АЗ 
65 
3B 
ZA 


81 
81 
C1 
00 
46 
59 
C2 
FF 
7C 
50 
7D 
10 


01 
01 
04 
2B 
00 
1D 
E 
91 
28 
53 
1A 
ЕЗ 
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length: 90 
vector: -- 
cipher_suite: 
CipherSuite: C104 


compression_method: 
CompressionMethod: 00 
extensions: 
length: 0054 
vector: 
Extension: /* supported_versions */ 
extension_type: 002В 
extension_data: 


length: 8002 

vector; 
selected_version: 
0304 


Extension: /* key_share */ 
extension_type: 0033 
extension_data: 


length: 0044 
vector: 
group: 0023 
key_exchange: 
length: 0040 
vector: 


3D2FB067E106CC9980FB8842811164BA 
708BBB5038D5EDFBEE1D5E5DFBE6F74F 
1931217C67C2BDF46253DB9CE3487241 
F2DBD84E2DABDF65455851B0B19AEFEC 
Extension: /* рге shared key */ 
extension type: 0029 
extension. data: 
length: 0002 
selected identity: 0000 


00000: 02 00 00 7C 03 03 82 82 82 82 82 82 82 82 82 82 
00010: 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 
00020: 82 82 82 82 82 82 00 С1 04 00 00 54 00 2В 00 02 
00030: 03 04 00 33 00 44 ӨӨ 23 00 40 30 2Ғ BO 67 ЕТ 06 
00040: СС 99 80 ЕВ 88 42 81 11 64 ВА 70 8В ВВ 50 38 05 
00050: ЕБ'БВРЕЕ 10 5Е 50: ЕВ? ЕБ ЕУ ДЕ 1931 21 76767: 62. 
00060: BD РА 62 53 DB 9С ЕЗ 48 72 41 F2 DB D8 4E 2D АВ 
00070: ОР 65 45 58 51 В0 В1 9А ЕР ЕС 00 29 00 02 00 00 


Record layer message: 


type: 16 

legacy_record_version: 0303 

length: 0080 

fragment: 02000041 0303933EA21E49C31BC3A345 


6165889684CAA5576CE7924A24F 58113 
808DBD9EF85610C3802A561550EC78D6 
ED51AC2439D7E7C101000009FF010001 
0000170000 


00000: 16 03 03 00 80 02 00 00 7C 03 03 8282 8282 82 


00010: 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 
00020: 82 82 82 82 82 82 82 82 82 82 82 00 С1 04 00 00 
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d. C^res: 
00000: 02 02 02 02 02 02 
00010: 02 02 02 02 02 02 


0 S^res: 

00000: 3D 2F BO 67 E1 06 
00010: 70 8B BB 50 38 D5 
00020: ПОЗИК 7 СИбУ C2 
00030: F2 DB D8 4E 20 АВ 


Q. C^res: 

00000: D3 5A A7 95 C4 52 
00010: 05 6D 66 46 F3 B8 
00020: D1 12 2D C3 2A 3B 
00030: 26 D9 EC 3A 7D 3A 


EncryptedExtensions message 


msg. type: 08 
length: 00 
роду: 
extensions: 
length: 90 
vector: b 


00000: 08 00 00 02 00 00 


Smyshlyaev, et al. 


GOST Cipher Suites for TLS 1.3 


04 00 
99 80 
FB EE 
F4 62 
65 45 


Client 


02 02 
02 02 


ED FB 
BD F4 


8D 48 
18 14 


0002 


00 


33 00 
FB 88 
1D 5E 
53 DB 
58 51 
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44 
42 
5D 
9C 
BO 


00 
81 
FB 
ЕЗ 
В1 


23 
ila 
E6 
48 
9A 


00 
64 
F7 
2 
ЕЕ 
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Record payload protection: 


EarlySecret = HKDF-Extract(Salt: 07256, IKM: ePSK): 
00000: 42 30 7A 99 68 18 34 Өр рө 56 2F 7F EB Еб 2A B5 
00010: 170 ЕЗ BC 88 9C А9 29 ЗА 89 Өр F2 09 B9 1B BB ЕЗ 


Derived £0 - Derive-Secret(EarlySecret, "derived", "") з 
HKDF-Expand-Label(EarlySecret, "derived", "", 32): 

00000: 6B 4E 9C 49 C5 C6 F1 7F 60 B2 B8 4B 55 0A 16 38 
00010: 14 09 5B 80 88 ВЕ СО ВО CA 52 E4 09 ӨС ВЗ F8 ВЕ 


HandshakeSecret = HKDF-Extract(Salt: Derived #0, ТКМ: ECDHE): 
80008: А9 CB Еб 58 50 2Е ЗЕ D1 18 66 51 БР D6 15 Е9 88 
80018: 90 1E 61 BS 28 34 ВВ FD 5F 19 C2 4C 53 C8 79 7F 


HM1 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest, 
ClientHello2, ServerHello) 


TH1 = Transcript-Hash(HM1) : 
00000: 88 8D 50 ТЕ 15 98 65 05 97 ЗЕ F2 ВЕ 9A ҒА Е5 71 
00010: 20 АЗ 66 C2 D2 19 91 D1 5E 25 07 0C 30 07 D5 E9 


server_handshake_traffic_secret (SHTS): 

SHTS = Derive-Secret(HandshakeSecret, "s hs traffic", HM1) = 
HKDF-Expand-Label(HandshakeSecret, "5 hs traffic", THI, 32): 
00000: ДЕ F8 68 E5 5B 27 F8 88 ЗА 6F 82 DA A7 0B 01 1B 
00010: РА B1 77 95 10 Ед 88 78 АӨ 22 2B ЗЕ 2C 76 Еб 83 


server write key.hs - HKDF-Expand-Label(SHTS, "key", "", 32): 
00000: DB 61 9B 58 FA 41 1E 33 4F 07 EA C7 7C EF EF CA 
00010: 78 41 F5 40 88 B8 DO D5 CE 6A 62 C9 82 85 C6 81 


server write iv.hs = HKDF-Expand-Label(SHTS, "iv", "", 16): 
00000: FC 9E 2A C6 63 04 C2 5B 


server. record write key = TLSTREE(server write key hs, 0): 
00000: ЗС 7D ЕЗ БЕ АС РА FE 71 EA 6A DC Ед DC 44 5D D3 
00010: А9 29 EF CD 08 ЗЕ 18 2F BD 51 42 BA 68 6D 38 84 


seqnum: 
00000: 00 00 00 00 00 00 00 00 


nonce: 
00000: 7C 9E 2A C6 63 04 C2 5B 


additional. data: 
00000: 17 03 03 00 OF 


TLSInnerPlaintext: 
00000: 08 00 00 02 00 00 16 


TLSCiphertext: 
00000: 17 03 03 00 ӨР 49 67 A7 ЕТ AE 7B FB 37 5A OF 4B 
00010: 25 45 91 17 


Record layer message: 


Smyshlyaev, et al. Informational Page 59 


ВЕС 9367 GOST Cipher Suites for TLS 1.3 February 2023 


type: 17) 

legacy_record_version: 0303 

length: 900Е 

encrypted_record: 4967A7E1AE7BFB375A0F4B 
25459117 


00000: 17 03 03 00 ОҒ 49 67 A7 ЕТ AE 7B FB 37 БА ӨЕ 4B 
00010: 25 45 91 17 


server. finished key = HKDF-Expand-Label(SHTS, "finished", "", 32): 
00000: AF 41 F7 7A СВ 18 B4 C5 9D Ед F7 80 46 D5 AE 95 
00010: 7А А4 92 A7 08 08 2А 36 F4 B2 09 B8 20 7C 79 03 


HMFinished - (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest, 
ClientHello2, ServerHello, EncryptedExtensions) 


Transcript-Hash(HMFinished): 
00000: Ед 5D 06 C9 DE BA 09 3D 72 AD 6F 4A 7D ВЕ 11 95 
00010: ЕС E7 АЕ 31 93 F2 FF 5B 2D ОВ F6 14 8E CB E7 B9 


FinishedHash - 

HMAC(server. finished. key,Transcript-Hash(HMFinished)): 
00000: 96 14 5B 61 68 Ед 1C 4С F2 99 50 96 ЕЕ 12 C8 6B 
00010: ТЕ 53 ТЕ 96 0A 48 9D Е9 СЗ 44 2A 24 33 Е9 AE ЕЕ 


Finished message: 


msg. type: 14 
length: 000020 
body: 
verify. data: 96145B6168E01C4CF2995096EE12C86B 


1F531F960A489DE9C3442A2433E9AEEE 


00000: 14 00 00 20 96 14 5B 61 68 Ед 1C 4С F2 99 50 96 
00010: EE 12 СВ 6B ТЕ 53 ТЕ 96 ВА 48 9D E9 СЗ 44 2A 24 
00020: 33 E9 AE EE 


Record payload protection: 


server. record write key = TLSTREE(server. write key hs, 1): 
00000: ЗС 7D ЕЗ БЕ АС РА FE 71 EA 6A DC Ед DC 44 5р рз 
00010: А9 29 ЕЕ CD 08 ЗЕ 18 2F BD 51 42 BA 68 6D 38 84 


seqnum: 
00000: 00 00 00 00 00 00 00 01 


nonce: 
00000: 7C 9E 2A C6 63 04 C2 5A 


additional. data: 
00000: 17 03 03 00 2D 


TLSInnerPlaintext: 

00000: 14 00 00 20 96 14 5B 61 68 Ед 1C 4C F2 99 50 96 
00010: EE 12 C8 6B 1F 53 1F 96 0A 48 9D Е9 СЗ 44 2A 24 
00020: 33 Е9 AE ЕЕ 16 
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Record layer message: 


type: 17 

legacy_record_version: 0303 

length: 0020 

encrypted_record: 3BFB2AEADBC349FD89AFB8E481F8426B 


CC6B7F5D975FE05E5B28755C00BF353F 
CA6AA8E9F0145993CA0CE06F37 


TLSCiphertext: 
00000: 17 03 03 00 2D 3B FB 2A EA DB C3 49 FD 89 AF B8 
00010: E4 81 F8 42 6B CC 6B 7F 5D 97 БЕ Ед БЕ 5B 28 75 
00020: 5C 00 ВЕ 35 ЗЕ CA бА 48 E9 FO 14 59 93 C4 ӨС EO 
00030: 6F 37 


EarlySecret - HKDF-Extract(Salt: 0^256, IKM: ePSK): 
00000: 42 30 7A 99 68 18 34 Өр DƏ 56 2F 7F EB Еб 2A B5 
00010: 78 F3 BC 88 9C A9 29 ЗА 89 0D F2 09 B9 1B BB F3 


Derived #0 = Derive-Secret(EarlySecret, "derived", "") = 
HKDF-Expand-Label(EarlySecret, "derived", "", 32): 
00000: 6В 4Е 9С 49 С5 С6 Е1 7Ғ 60 В2 В8 АВ 55 ӨА 16 38 
00010: 14 09 5B 80 88 8E СӨ В0 СА 52 E4 09 ӨС ВЗ F8 ВЕ 


HandshakeSecret = HKDF-Extract(Salt: Derived #0, IKM: ЕСІНЕ): 
00000: А9 CB E6 58 50 2F ЗЕ D1 18 66 51 5Е D6 15 Е9 88 
00010: 90 1E 61 B5 28 34 ВВ FD БЕ 19 C2 4C 53 C8 79 ТЕ 


HM1 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest, 
ClientHello2, ServerHello) 


TH1 = Transcript-Hash(HM1) : 
00000: 88 80 50 ТЕ 15 98 65 05 97 ЗЕ Е2 OF 9A ҒА Е5 71 
90019: 20 АЗ 66 C2 D2 19 91 D1 БЕ 25 07 ӨС 3D 07 05 Е9 


client_handshake_traffic_secret (CHTS): 
CHTS = Derive-Secret(HandshakeSecret, "c hs traffic", HM1) = 
HKDF-Expand-Label(HandshakeSecret, "c hs traffic", TH1, 32): 


00000: DF ӨӨ АВ 79 А1 D3 51 55 97 1B ӨЕ 84 C8 91 99 ТЕ 
00010: FE Е6 D@ 1B 27 04 23 СС 74 64 4B 25 47 ЗЕ 78 60 
client_finished_key = HKDF-Expand-Label(CHTS, "finished", "", 32): 


00000: ТЕ А6 7D 28 9F F2 А6 85 C7 ВЕ 13 FD F5 60 А6 05 
00010: А9 Е5 EA 85 63 AD 6С С7 ВА 85 30 76 59 А5 55 81 


HM2 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest, 
ClientHello2, ServerHello, 
EncryptedExtensions, Server Finished) 


TH2 =Transcript-Hash(HM2) : 
00000: 53 06 24 ЕЕ 07 6Ғ ҒҒ ЕТ 04 DC 15 ЕВ ВА 2D 78 ЗЕ 
00010: ТЕ ДЕ ЕВ ЗЕ 8C 2D CF А5 СВ 85 D7 2Ғ 81 рө 60 15 


FinishedHash = HMAC(client_finished_key, ТН2): 


00000: ВВ 83 09 94 ВЕ 38 А9 8F FC АЗ ВЕ D2 35 CD 80 7Е 
00010: 81 82 ТЕ 67 37 АВ 98 31 43 DC А9 7B 9Е Ед 23 25 
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Finished message: 


msg_type: 14 
length: 000020 
роду: 
verify. data: BB830994BE3 8A98FFCA3BFD235CD807E 


81821E6737AB983143DCA97B9EE02325 


00000: 14 00 00 20 BB 83 09 94 BE 38 A9 8F FC АЗ BF D2 
00010: 35 CD 80 7E 81 82 1E 67 37 AB 98 31 43 DC A9 7B 
00020: 9ESE0 23525 


Record payload protection: 


client write key hs - HKDF-Expand-Label(CHTS, "key", "", 32): 
00000: DF 66 60 ЛЕ DD D6 4E 96 1D FC 7D рө 21 2E F2 25 
00010: са 05 33 E6 DA А4 AD 24 18 БЕ BE B2 24 B5 46 B8 


client write. iv hs - HKDF-Expand-Label(CHTS, "iv", "", 16): 
00000: E8 94 3C 9F A2 88 56 A1 


client. record write key - TLSTREE(client write key hs, 0): 
00000: BD 00 9F ЕС 04 АӨ 52 9E 60 78 ЕВ А5 АӨ 7A DE 74 
00010: 93 7Ғ ЕЗ А1 АВ 75 F7 АЕ 05 19 04 78 51 9B 6D ЕЗ 


зедпит: 
00000: 00 00 00 00 00 00 00 00 


попсе: 
00000: 68 94 3С ОҒ А2 88 56 А1 


additional_data: 
00000: 17 03 03 00 2D 


TLSInnerPlaintext: 

00000: 14 00 00 20 ВВ 83 09 94 ВЕ 38 AQ 8Е ЕС АЗ ВЕ D2 
00010: 35 CD 80 7E 81 82 1E 67 37 АВ 98 31 43 DC А9 7B 
00020: 9Е EO 23 25 16 


Record layer message: 


type: 17 

legacy_record_version: 0303 

length: 0020 

encrypted_record: 14254CA6B9EBCCA4A951A3D1F1040B0B1 


45446DF131946CEECBDB6A8EC534F 194 
223281B565324703C492160E2C 


TLSCiphertext: 
00000: 17 03 03 00 2D 14 25 4C A6 В9 ЕВ CC 4A 95 ТА 3D 
00010: ТЕ 10 40 B0 B1 45 44 6D F1 31 94 6C EE СВ DB бА 
00020: 8bE C5 34 F1 94 22 32 81 B5 65 32 A7 03 СА 92 16 
00030: OE 2C 


Application data: 
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00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[eee] 
000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


Record payload protection: 


Derived #1 = Derive-Secret(HandshakeSecret, "derived", "") = 


HKDF-Expand-Label(HandshakeSecret, "derived", "", 32): 
00000: ВС 4D 6F ЕЗ D9 43 78 21 1D 3D 64 1С 75 92 ЕВ АА 
00010: 7A А2 96 47 9C 57 BD D1 ЕТ 4C 7B 04 9F 6D F1 CD 


MainSecret = HKDF-Extract(Salt: Derived #1, ТКМ: 07256): 
00000: DB ЕЕ 82 86 2Е 54 А1 41 3E 6C 2E D8 2C 6D A5 AF 
00010: FD BF DE 12 30 2E 49 75 5B 61 F2 06 32 E1 0A 42 


HM2 - (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest, 
ClientHello2, ServerHello, 
EncryptedExtensions, Server Finished) 


TH2 = Transcript-Hash(HM2) : 
00000: 53 06 24 EE 07 6F FF ЕТ 04 DC 15 ЕВ B4 2D 78 8Е 
00010: ЛЕ ДЕ ЕВ ЗЕ 8C 2D СЕ A5 СВ 85 D7 2Ғ 81 ре 6D 15 


SATS = Derive-Secret(MainSecret, "5 ар traffic", НМ2) = 
HKDF-Expand-Label(MainSecret, "s ap traffic", TH2, 32): 
00000: 52 91 26 2B EC B5 22 69 34 ЗА ЕВ 27 9B 43 54 B1 
00010: 89 22 D5 15 04 60 8B А7 21 C4 72 46 7E ЕЕ Е8 78 


server_write_key_ap = HKDF-Expand-Label(SATS, "key", "", 32): 


00000: 15 09 2С 51 47 B2 13 10 ED ED F5 5B 3D 7А B7 76 
00000: 81 7D 6F Е2 FC F2 30 07 ЕЗ F2 92 75 F6 E2 41 EC 


server write iv ap - HKDF-Expand-Label(SATS, "iv", "", 8): 
00000: 71 2E 2F 11 CD 50 6E B9 


server record write key = TLSTREE(server. write key ар, 0): 
00000: 7B B8 81 55 35 98 DE F5 34 FC AF 9B 77 A3 35 5B 
00010: C3 BC A3 87 40 67 40 F6 CB F5 C1 B6 D3 5C 65 ED 


seqnum: 
00000: 00 00 00 00 00 00 00 00 


nonce: 
00000: ПА 2Е 2Е ПСР 505 БЕ ВӘ 


additional. дата: 
00000: 17 03 03 04 09 


TLSInnerPlaintext: 
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


[ЖЕ] 
000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000400: 17 


Record layer message: 


type: 17 

legacy_record_version: 0303 

length: 0409 

encrypted_record: 7CAA82039F67326C2D735EE809B57750 
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TLSCiphertext: 

00000000: 17 
00000010: Е8 
00000020: АЗ 
00000030: 8В 
00000040: 07 
00000050: 76 
00000060: 4р 
00000070: 2В 
00000080: ВВ 
00000090: 90 
ева 

00000370: Е1 
00000380: 47 
00000390: Е5 
000003А0: 1F 
80000388: 88 
000003С0: ӨЕ 
00000300: Е5 
000003Е0: 54 
000003Ғ0: А2 
00000400: EO 


Application data: 


00000000: ӨӨ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


Есі 
000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


СО$Т Сірһег Suites for ТІ,5 1.3 


945F5CE2B0C47B8EF1ECADAS3DSF 1AD9E 
3FBA5926FDB2B61197D08B8B1399167B 
6C249C90C0A3101452FD72078FBFB057 
31E06215019395DDCF44AA763DCB1ACA 
8B3F47D033FBA12E7COFBBADFBDABD8B 
97E996E8E36231BE8015412B90CCCFBB 
E2BC967E597FC2E7B251A9BBEBAA245B 
63139387203DB90BD1BF5300A5B577BF 
46793DB1AA30FEDFD1E6A5 


E1D55816BFD6BFFBF6E6FB23D861 17D2 
47441BC211D078199C1F8340BE808BA6 
E5BE092B9E081E95D4A57672407970A6 
1FEF2F4B12A0FA401FA30B813FE7CD1BF 
881485157381B8489EC36296C6EE7538 
0FB1DAA1B1473358FD87AA41D5DBA089 
F528BD5F3B41B34002D945D7E0CA9EFA 
S4A4EFBODA4049F 5F248B3F 7D46FECO5 
А25ВВЕ0А5120106ВС21С1ЕА25ЕЕҒЗ125 
E@79CA@F7FFAS6FD89C1 АЗОПАОАЗ 


04 09 7C AA 82 ӨЗ 9F 67 32 6С 2D 


77 50 94 БР 5C E2 BO C4 7B 8E F1 
AD 9Е ЗЕ ВА 59 26 FD В2 В6 11 97 


16 7В 6С 24 9С 90 С0 АЗ 10 14 52 
80 57 31 E@ 62 15 01 93 95 DD СЕ 
ТА CA 8В ЗЕ 47 00 33 FB A1 2Е 7C 
BD 8B 97 Е9 96 E8 ЕЗ 62 31 ВЕ 80 


СЕ ВВ Е2 ВС 96 7Е 59 7Ғ С2 Е7 В2 
24 5B 63 13 93 87 20 3D В9 0B D1 
77 ВЕ 46 79 30 B1 AA 30 ЕЕ DF 01 


16 ВЕ 06 BF ЕВ F6 Е6 FB 23 D8 61 


C2 11 рд 78 19 9С ТЕ 83 40 ВЕ 80 
2B 9E 08 1E 95 D4 A5 76 72 АӨ 79 
АВ 12 А0 F4 01 FA 30 B8 13 FE 7С 


15 73 81 B8 48 9E СЗ 62 96 C6 EE 


АТ B1 47 33 58 FD 87 AA 41 р5 DB 


БЕ 3B 41 ВЗ 40 02 09 45 D7 EO СА 


73 
EC 
DQ 
FD 
44 
QF 
15 
51 
BF 
E6 


Uz 
8B 
70 
01 
75 
АӨ 
9Е 


БЕ 
AD 
8B 
72 
AA 
BB 
41 
А9 
53 
А5 


D2 
Аб 
Аб 
ВЕ 
38 
89 
РА 


BO DA 40 49 Е5Е2 48 ВЗ Е7 D4 6F ЕС 05 
0A 51 20 10 6B C2 1C 1E А2 БЕ ЕЕ 31 25 


OF 7F FA 56 FD 89 C1 A8 0D А0 АЗ 


Record payload protection: 


server record write key - TLSTREE(server write key ap, 1): 


00000: 7B B8 81 55 35 98 DE F5 34 FC AF 9B 77 A3 35 5B 
00010: C3 BC A3 87 4D 67 40 F6 CB F5 C1 B6 D3 5C 65 ED 
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seqnum: 
00000: 00 00 00 00 00 00 00 01 


попсе: 
00000: 71 2Е 2Ғ 11 CD 50 6E B8 


additional_data: 
00000: 17 03 03 04 09 


TLSInnerPlaintext: 


00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


000003F0: 00 00 өө 00 00 өө 00 00 00 00 00 OO 00 өө OO 00 


00000400: 17 


Record layer message: 


type: 17 

legacy_record_version: 0303 

length: 0409 

encrypted_record: DC593FC6FAFC5191242B632E144504A2 


61AEF332970FF8316FA4DE507BFB471E 
A83C713FF950791078FD9A3178D02682 
66E12BC970FFB1EEA4A56600DF32ABF9F 
A318FF45C91CDEF42E1C1D450059729B 
1BB6925F773A1E8F304E7AB143F0FC16 
EF16BCAEODF60D76DE43390F9CD257DE 
D256209B1675378FE6822CBB19A53620 
BD5B240282CF4977F1C572AB3B1DD6CF 
497Е2757286В7Е49СҒ80С7 |... | 

EE2E29D3F79640D9CA3C35181B9CE939 
CA16A862AC460424B6AEF6B89D533406 
7724CCF2466A804F09FAB3EBE737F99C 
6498EFF2379CAD6596C3C352F 4426876 
95ACBC4FB44B5D069FB66605E47945FE 
2F11509FF7B5961BE8ABA3EC2060D822 
A994D97C59C8058C951708029AEO0BEDA 
8045ECA025FE02E6D2EFAF13202012E9 
E34358DE79E561CCEC8F549E70073EE6 
938F4A1AAE97465970D65260604C 


TLSCiphertext: 
00000000: 17 03 03 04 09 DC 59 3F C6 FA FC 51 91 24 2B 
00000010: 2E 14 45 04 A2 61 AE F3 32 97 0F F8 31 6F A4 
00000020: 50 7B FB 47 1E A8 3C 71 3F F9 50 79 10 78 FD 
00000030: 31 78 00 26 82 66 ЕТ 2B СО 70 FF B1 EE ДА 56 
00000040: 0D F3 2A BF 9F A3 18 FF 45 C9 1C DE F4 2E 1C 
00000050: 45 00 59 72 9B 1B B6 92 5F 77 3A 1E 8F 30 4E 
00000060: B1 43 F0 FC 16 EF 16 BC 4E 0D F6 0D 76 DE 43 
00000070: OF 9C D2 57 DE D2 56 20 9B 16 75 37 ЗЕ Еб 82 
00000080: BB 19 A5 36 20 BD 5B 24 02 82 CF 49 77 F1 C5 
00000090: AB 3B 1D D6 CF 49 7F 27 57 28 6B 7E 49 CF 80 


00000370: EE 2Е 29 рз F7 96 40 09 CA ЗС 35 18 ТВ 9C E9 
00000380: CA 16 A8 62 AC 46 04 24 B6 AE F6 B8 9D 53 34 
00000390: 77 24 CC F2 46 6A 80 4F 09 FA B3 EB E7 37 F9 
000003А0: 64 98 EF F2 37 9С AD 65 96 C3 C3 52 F4 42 68 
00000388: 95 АС ВС ДЕ B4 4B 5D 06 ОҒ Вб 66 05 E4 79 45 
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000003С0: 
00000300: 
000003Е0: 
000003Ғ0: 
00000400: 


СО$Т Сірһег Suites for ТІ,5 1.3 


2F 11 50 9F F7 B5 96 1B Е8 АВ 43 ЕС 20 60 08 22 
А9 94 р9 7С 59 C8 05 8C 95 17 08 02 9A Ед ВЕ DA 
80 45 ЕС Ад 25 FE 02 E6 D2 EF АҒ 13 20 20 12 Е9 
ЕЗ 43 58 DE 79 Е5 61 СС ЕС 8F 54 9E 70 07 ЗЕ E6 
93 8Е ДА ТА АЕ 97 46 59 70 D6 52 60 60 4С 


Application data: 


00000000: 


ES] 
000003Ғ0: 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


Record payload protection: 


server_record_write_key = TLSTREE(server_write_key_ap, 128): 


00000: 
00010: 


seqnum: 
00000: 
попсе: 
00000: 


93 05 06 ЕТ 03 6F DF ВЗ EF BF 31 Е6 DA БЕ ЕС Е6 
85 17 1С 97 7Ғ Е9 CD 6С ЗА ЗЕ 67 СО 22 ДА В6 ЕВ 


00 00 00 00 00 00 00 за 


Ева Ee CDE БО OE e39 


additional_data: 


00000: 17 03 03 04 09 
TLSInnerPlaintext: 
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
(ЕБІН 
000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000400: 17 

Record layer message: 

type: 17 

legacy. record. version: 0303 

length: 0409 

encrypted. record: 56A7E2F32541DBO0EE1563F8CA79EB129 


Smyshlyaev, et al. 


3192bE2122BA8A89A6CF05B151D205AEC 
EB60321D0F637A98880814BEF639FC08 
A1E8222D95A54E5593F8BB9CF520DS3FA 
7D38D960E00665BB736A7AFF49D7A7BA 
D092DDB1714655EDF1A9A24F4727DA7E 
873135F2A0534FAF7825EA99401FE1F0 
1E8C4246D2B55CEBE768FA205B3F 7890 
9827B912C6AA9FDDES3CFCAA7F2D9E2E2 
OFBEE9606D0E0105A7C97A [...] 

A72D5F8bE43ABC13984593F16DCECBE7B 
26AF73FDC82D7BE1F913B846D2612531 
BAOFO0SFF0C52DEFC8674AF3A1AE27393 
FC092DA45DCD0F71E2B54B60EC618C2A4 
5BE72EC19B5FB263C2DC780FF3093FD5 
D2F75185E437BE8BBS3E5C26F9E0E71B3 
C5D6CCA2bE0D2F44BB1ACDA17B189F21E 
C97C748502A2155E3ADC3CCC1BA14EEB 
7CDAA018253FCB57D53A12F548C5456C 
DDA00385EE1C0826AB58bE964007C 
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TLSCiphertext: 


00000000: 
00000010: 
00000020: 
00000030: 
00000040: 
00000050: 
00000060: 
00000070: 
00000080: 
00000090: 


00000370: 
00000380: 
00000390: 
000003А0: 
000003В0: 
000003С0: 
00000300: 
000003Е0: 
000003Ғ0: 
00000400: 


Application data: 


00000000: 


900003F0: 


1m 
8C 
15 
BE 
9C 
FF 
ДЕ 
99 
20 
47 


А? 
26 
ВА 
ЕС 
5B 
D2 
C5 
C9 
7C 


03 
A7 
1D 
F6 
F5 
49 
47 
40 
5B 
F2 


2D 
AF 
QF 
09 
Е7 
F7 
D6 
7C 
DA 


АӨ 


04 
В1 
5А 
ЕС 
D3 
A7 
DA 
Е1 
78 
Е2 


ЗЕ 
FD 
FF 
45 
C1 
85 
A2 
85 
18 
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99 
29 
ЕС 
08 
FA 
BA 
ЛЕ 
Ед 
90 
Е2 


43 
C8 
ес 
DC 
9B 
E4 
ЕӨ 
02 
25 


56 
31 
ЕВ 
Al 
7D 
DO 
87 
ШЕ 
98 
QF 


AB 
2D 
52 
DQ 
5F 
37 
D2 
A2 
3F 


A7 
92 
60 
E8 
38 
92 
31 
8C 
27 
BE 


C1 
7B 
DE 
F7 
B2 
BE 
РА 
15 
CB 


57 


F3 
12 
1D 
2D 
60 
B1 
F2 
46 
1122 
60 


84 
F9 
86 
2B 
C2 
B3 
B1 
3A 
DS 


25 
2B 
QF 
95 
Ед 
71 
АӨ 
D2 
C6 
6D 


59 
13 
74 
54 
DC 
ES 
AC 
DC 
3A 


41 
А8 
63 
А5 
06 
46 
53 
BS 
AA 
дЕ 


ЗЕ 
B8 
AF 
В6 
78 
С2 
ОА 
3C 
12 


DB 
A8 
7А 
4Е 
65 
55 
4Е 
5С 
ОЕ 
01 


16 
46 
ЗА 
дЕ 
OF 
6F 
17 
CC 
Е5 


OE 
9A 
98 
55 
BB 
ED 
AF 
EB 
DD 
05 


DC 
D2 
1A 
C6 
F3 
9E 
B1 
1B 
48 


C5 


DD Ад 03 85 EE 1C 08 26 АВ 58 Е9 64 00 7C 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


Record payload protection: 


server_record_write_key 


00000: 
00010: 


seqnum: 
00000: 


попсе: 
00000: 


additional_data: 


00000: 
TLSInnerPlaintext: 
00000000: 

рей 

000003Ғ0: 
00000400: 17 


93 05 06 ЕТ 03 
85 17 1C 97 ТЕ 


00 00 00 00 00 


ile PS 2 РІЙ СГ 


17 03 03 04 09 


TLSTREE(server_write_key_ap, 129): 


6F DF ВЗ EF ВЕ 31 E6 DA 5E ЕС E6 
Ғ9 CD 6C ЗА ЗЕ 67 СО 22 ДА В6 EB 


90 00 81 


50 6E 38 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


Record layer message: 


type: 


legacy. record. version: 


length: 


encrypted. record: 
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007 
030 
040 


З 
9 


EE73C4CAE69FD3@BC4B3A66CA571CD9F 
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TLSCiphertext: 
00000000: 
00000010: 
00000020: 
00000030: 
00000040: 
00000050: 
00000060: 
00000070: 
00000080: 
00000090: 
(Ее 

00000370: 

00000380: 

00000390: 

000003А0: 

00000380: 

000003С0: 

00000300: 

000003Е0: 

000003Ғ0: 

00000400: 


Alert message: 
level: 
description: 


00000: 01 00 


СО$Т Сірһег Suites for ТІ,5 1.3 


3C7AA2C2BA9F428A82249720F717738F 
8C35AC7745B701F3BOCEE993EB2CFDAB 
4468B2229748286C2572DE366AC38B70 
471B26A1ECA4F19D68E7EDA0A231C3BD1 
98013FA05BAC92E774A370EB10COCBD9 
15BACD0117A885804B9A475B44A6F3E8 
7D7BCA40F3F52EF4AB624B6EDD3094F9 
86269E409F 8BB76CEB4BE26D4B1 AF 54C 
@A14D41C291EB8E181F79A [...] 

10C401A9423D02804B51DDBFE5925294 
ADEE0067193FED8F66CBEED9475873B8 
8A730496487E8E7FA45FCOSEEE9C628AF 
E9236696F41A41505AA7392BF71C7EED3 
78035013ADE1EF07DE5A0230669E133E 
0D18B6C977A7FE94F4D22AB29CBAA6B5 
CDDBF4B35598C0007F3BA69D3FA2730D 
F51D867E1E47CFDE22CAEACD4C5AFD97 
088AEB92D12CE3C685C4E517730B8339 
4FC8514264E2F15E51CE439DED1D 


09 EE 73 C4 CA E6 9F D3 0B C4 B3 


ОЕ ЗС 7A А2 C2 ВА ОҒ 42 ВА 82 24 


ВЕ 8C 35 AC 77 45 B7 01 ЕЗ ВӨ СЕ 
AB 44 68 B2 22 97 А8 28 6С 25 72 
70 47 1B 26 А1 ЕС 4Е 19 06 ВЕ 7Е 
01 98 01 ЗЕ АӨ 5B АС 92 E7 74 АЗ 


09 15 ВА CD 01 17 А8 85 80 4B 9A 


E8 7D 7B СА 40 ҒЗ F5 2Е РА АВ 62 


F9 86 26 9Е 40 ОҒ 8В В7 6С ЕВ 4В 


4C 0A 14 04 1C 29 1E B8 ЕТ 81 F7 


42 3D 02 80 4B 51 DD BF E5 92 52 
19 3F ED 8F 66 CB EE 09 47 58 73 
48 7E ВЕ 7F 45 FC 05 EE E9 C6 28 
РА ТА 15 05 AA 73 92 BF 71 C7 EE 
AD E1 EF 07 DE 5A 02 30 66 9E 13 
77 A7 FE 94 F4 D2 2A B2 9C BA A6 
55 98 СО 00 7Ғ ЗВ A6 9D ЗЕ А2 73 


1E 47 CF DE 22 CA EA CD АС 5A FD 


D1 2C E3 C6 85 C4 E5 17 73 0B 83 
64 E2 F1 5E 51 CE 43 9D ED 1D 


Record payload protection: 


server record write key = TLSTREE(server write Кеу ар, 130): 
00000: 93 D5 D6 E1 03 6F DF B3 EF BF 31 E6 DA 5E EC E6 
00010: 85 17 1C 97 7F F9 CD 6C ЗА ЗЕ 67 СВ 22 4A B6 EB 


seqnum: 


00000: 00 00 00 00 00 00 00 82 
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nonce: 
00000: 71. 2Е 28 11! СІ); 50 6Е ЗВ 


additional_data: 
00000: 17 03 03 00 ОВ 


TLSInnerPlaintext: 
00000: 01 00 15 


Record layer message: 


type: 17 
legacy_record_version: 0303 

length: 9008 

encrypted_record: 447A3FAE8F86C135189B10 
TLSCiphertext: 

00000: 17 03 03 00 0B 44 7A ЗЕ AE 8F 86 C1 35 18 9B 10 
сна Clienten ae еа 
Alert message: 
level: 01 
description: 00 
00000: 01 00 
Record payload protection: 

Derived #1 = Derive-Secret(HandshakeSecret, "derived", "") = 

HKDF-Expand-Label(HandshakeSecret, "derived", "", 32): 


00000: ВС 4D 6F ЕЗ D9 43 78 21 1D 3D 64 1С 75 92 ЕВ AA 
00010: ТА А2 96 47 9С 57 BD D1 ЕТ 4C 7B 04 9Е 6D F1 Ср 


MainSecret = HKDF-Extract(Salt: Derived #1, ТКМ: 07256): 
00000: DB ҒҒ 82 86 2Е 54 А1 41 ЗЕ 6С 2Е D8 2C 6D А5 АҒ 
00010: FD BF DE 12 30 2Е 49 75 5B 61 F2 06 32 ЕТ 0A 42 


НМ2 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest, 
ClientHello2, ServerHello, EncryptedExtensions, 
Server Finished) 


ТН2 = Transcript-Hash(HM2) : 
00000: 53 06 24 ЕЕ 07 6F ҒҒ ЕТ 04 DC 15 EB ВА 2D 78 8F 
00010: ЛЕ ДЕ EB ЗЕ 8C 2D СЕ A5 СВ 85 07 2Ғ 81 ре 6D 15 


client_application_traffic_secret (САТ5): 

CATS = Derive-Secret(MainSecret, "с ар traffic", НМ2) = 
HKDF-Expand-Label(MainSecret, "c ap traffic", TH2, 32): 
20 09 85 05 В8 4D 9D 8D 4Е БЕ СЕ CD BC DD 67 41 
55 F1 82 F7 28 7B 18 4D А5 53 42 5C 6C 64 57 83 


client write key. ар = HKDF-Expand-Label(CATS, "key", "", 32): 
00000: EB D2 71 DE 19 FE E1 8B B1 99 8F 69 AF 5B 64A E1 
00010: 89 58 E8 D3 70 2F 12 FB B5 BO ЗЕ 6F D6 91 FE FA 


client write ім ар - HKDF-Expand-Label(CATS, "iv", "", 8): 
00000: 18 FB 03 8D BF 72 41 E6 
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client_record_write_key = TLSTREE(client_write_key_ap, 0): 
00000: 86 2А 74 18 ОВ 4A E4 C2 D1 5F 4A 62 ED 8A 4A 75 
00010: ва 8D 72 BO 46 АҒ DE СВ ЗА 8E F0 C2 67 F4 56 ВО 


seqnum: 
00000: 00 00 00 00 00 00 00 00 


попсе: 
00000: 18 ЕВ ӨЗ 8D ВЕ 72 41 E6 


additional_data: 
00000: 17 03 03 00 ОВ 


TLSInnerPlaintext: 
00000: 01 00 15 


Record layer message: 


type: 17 
legacy_record_version: 0303 

length: 9008 

encrypted_record: 464AEEAD391D97987169F3 
TLSCiphertext: 


00000: 17 03 03 00 OB 46 ДА EE AD 39 1D 97 98 71 69 ЕЗ 


Contributors 


Lilia Akhmetzyanova 
CryptoPro 
Email: lah@cryptopro.ru 


Alexandr Sokolov 
CryptoPro 
Email: sokolov@cryptopro.ru 


Vasily Nikolaev 
CryptoPro 
Email: nikolaev@cryptopro.ru 


Authors' Addresses 


Stanislav Smyshlyaev (EDITOR) 
CryptoPro 

18, Suschevsky val 

Moscow 

127018 

Russian Federation 

Phone: +7 (495) 995-48-20 
Email: svs@cryptopro.ru 


Smyshlyaev, et al. Informational Page 70 


ВЕС 9367 GOST Cipher Suites for TLS 1.3 February 2023 


Evgeny Alekseev 

CryptoPro 

18, Suschevsky val 

Moscow 

127018 

Russian Federation 

Email: alekseev@cryptopro.ru 


Ekaterina Griboedova 

CryptoPro 

18, Suschevsky val 

Moscow 

127018 

Russian Federation 

Email: griboedovaekaterina@gmail.com 


Alexandra Babueva 
CryptoPro 

18, Suschevsky val 

Moscow 

127018 

Russian Federation 

Email: babueva@cryptopro.ru 


Lidiia Nikiforova 

CryptoPro 

18, Suschevsky val 

Moscow 

127018 

Russian Federation 

Email: nikiforova@cryptopro.ru 


Smyshlyaev, et al. Informational Page 71 


